The Virginia Consumer Data Protection Act (VCDPA) is a state-level data protection law enacted in Virginia, USA, aimed at safeguarding the privacy and rights of consumers concerning their personal data.
It imposes obligations on businesses handling personal data and grants rights to consumers regarding the collection, use, and protection of their data.
Under the VCDPA, businesses are required to comply with specific data protection principles, including transparency, purpose limitation, data minimization, and security safeguards.
They must also provide consumers with certain rights, such as the right to access, correct, delete, and opt out of the sale or processing of their personal data.
For example, if you operate an online store that collects and processes personal data of Virginia residents, such as names, email addresses, or payment information, you must comply with the VCDPA by implementing data protection measures, providing privacy notices, and honoring consumer rights requests.
The VCDPA applies to a broad range of businesses that process personal data of Virginia residents and meet certain thresholds, including those that control or process data of at least 100,000 consumers annually or derive at least 50% of their gross revenue from the sale of personal data and process data of at least 25,000 consumers annually.
Businesses subject to the VCDPA are required to establish and maintain comprehensive data protection programs, conduct privacy impact assessments for certain processing activities, and appoint a designated individual responsible for ensuring compliance with the law.
Failure to comply with the VCDPA can result in penalties and enforcement actions by the Virginia Attorney General, including fines of up to $7,500 per violation and injunctive relief to cease unlawful data processing practices.