Virginia
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Virginia's VCDPA gives you the right to opt out of data brokers.
What the VCDPA does for you
Under Virginia's Consumer Data Protection Act (VCDPA), you have the right to know what personal data companies collect about you, correct inaccuracies, request deletion, and get a portable copy of your data. You can also opt out of the sale of your data, targeted advertising, and certain automated decision-making. These rights apply to Virginia residents dealing with businesses that meet specific size thresholds.
Your rights under the VCDPA
Right to Know
You have the right to confirm whether a business is processing your personal data and to access what data they have about you.
Exceptions: Does not apply to de-identified or publicly available information; Does not apply to data subject to HIPAA, GLBA, FCRA, FERPA, or other federal exemptions; Controller may decline if it cannot authenticate the request using commercially reasonable efforts; Free up to twice per year; controller may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.
Source: Va. Code § 59.1-577(A)(1)
Right to Delete
You have the right to request that a business delete the personal data it has collected about you or obtained from other sources.
Exceptions: Does not apply to data needed to comply with legal obligations; Does not apply to data needed to complete a transaction you requested; Does not apply to data used to prevent fraud or security incidents; For data obtained from sources other than the consumer, the controller may comply by retaining a minimal record of the deletion request or opting the consumer out of further processing; Does not apply to data subject to federal exemptions (HIPAA, GLBA, FCRA, etc.).
Source: Va. Code § 59.1-577(A)(3), (B)(5)
Right to Correct
You have the right to request that a business correct inaccuracies in the personal data it holds about you, taking into account the nature of the data and the purpose for which it is being used.
Exceptions: Does not apply to data subject to federal exemptions (HIPAA, GLBA, FCRA, etc.); Controller may decline if request is manifestly unfounded, excessive, or repetitive.
Source: Va. Code § 59.1-577(A)(2)
Right to Opt Out of Sales
You have the right to opt out of the sale of your personal data to third parties for monetary consideration.
Exceptions: Does not apply to disclosures to processors acting on the controller's behalf; Does not apply to disclosures necessary to provide a product or service you requested; Does not apply to transfers to affiliates; Does not apply to information you intentionally made public; Does not apply to transfers in connection with a merger, acquisition, or bankruptcy.
Source: Va. Code § 59.1-577(A)(5)(ii)
Right to Opt Out of Processing
You have the right to opt out of your personal data being used for targeted advertising — ads selected based on your activity tracked across different websites and apps over time.
Exceptions: Does not apply to ads based on activity within the controller's own websites or apps; Does not apply to ads based on your current search query or website visit; Does not apply to ads in response to your direct request for information; Does not apply to processing solely for measuring advertising performance.
Source: Va. Code § 59.1-577(A)(5)(i)
Right to Opt Out of Automated Decisions
You have the right to opt out of profiling that uses automated processing to make or significantly influence decisions about you in areas like loans, housing, insurance, employment, education, health care, or other major life areas.
Exceptions: Only applies to profiling in furtherance of decisions that produce legal or similarly significant effects; Does not apply to profiling for internal research or product improvement.
Source: Va. Code § 59.1-577(A)(5)(iii)
Right to Data Portability
You have the right to obtain a copy of your personal data that you previously provided to a business, in a portable and readily usable format that lets you transfer it to another company, where processing is carried out by automated means.
Exceptions: Only applies to data you previously provided to the controller; Only applies where processing is carried out by automated means; Format must be portable only to the extent technically feasible.
Source: Va. Code § 59.1-577(A)(4)
Right to Non-Discrimination
A business cannot discriminate against you for exercising your privacy rights — they cannot deny you goods or services, charge you different prices, or provide a lower quality of service just because you exercised your rights under this law.
Exceptions: Controllers may offer different prices or services if you opt out and such difference is reasonably related to the value of your data; Controllers may offer different prices or terms related to voluntary participation in a bona fide loyalty, rewards, discounts, or club card program; Controllers are not required to provide a service that requires personal data they don't collect or maintain.
Source: Va. Code § 59.1-578(A)(4)
Right to Limit Sensitive Data
Businesses must obtain your consent before processing your sensitive personal data, which includes things like racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, immigration status, genetic or biometric data, precise location, and data collected from children.
Exceptions: Processing of sensitive data concerning a known child must comply with COPPA rather than requiring consumer consent; Sensitive data that is de-identified or publicly available is not covered.
Source: Va. Code § 59.1-578(A)(5)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a VCDPA deletion or opt-out request. Covered businesses have 45 days to respond (Va. Code § 59.1-577(B)(1), (B)(4)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The VCDPA does not mention authorized agents (Va. Code Ann. § 59.1-571 et seq.). This means data brokers are not required to honor privacy requests submitted by someone other than you personally. Optery can help you submit requests directly — we prepare everything for you; you hit send.
Enforcement and penalties
The VCDPA is enforced by Virginia Attorney General. The Virginia Attorney General has exclusive authority to enforce this law. Before filing a lawsuit, the AG must give businesses 30 days' written notice to fix the problem. If a business doesn't correct the violation, the AG can seek injunctions and civil penalties of up to $7,500 per violation. There is no private right of action — individual consumers cannot sue companies directly under this law.
Who does the VCDPA apply to?
This law applies to businesses that operate in Virginia or target Virginia residents AND either (1) process personal data of at least 100,000 consumers per year, or (2) process personal data of at least 25,000 consumers and earn more than 50% of their gross revenue from selling personal data. Nonprofits, government agencies, financial institutions covered by Gramm-Leach-Bliley, HIPAA-covered health entities, and institutions of higher education are exempt.
Frequently asked questions
Which companies does the VCDPA apply to?
The law applies to businesses that do business in Virginia or target Virginia residents and either process personal data of at least 100,000 consumers per year, or process data of at least 25,000 consumers while earning more than 50% of gross revenue from selling personal data (Va. Code § 59.1-576(A)). Nonprofits, government agencies, HIPAA-covered health entities, financial institutions governed by Gramm-Leach-Bliley, and universities are exempt.
How long does a company have to respond to my privacy request?
A controller must respond within 45 days of receiving your request (Va. Code § 59.1-577(B)(1)). They can extend that deadline by another 45 days if needed due to the complexity or number of requests, but they must notify you of the extension within the original 45-day window.
What happens if a company violates the VCDPA?
The Virginia Attorney General has exclusive authority to enforce this law and can seek civil penalties of up to $7,500 per violation (Va. Code § 59.1-584(C)). However, before suing, the AG must give the company 30 days to fix the problem. You cannot personally sue a company for violating this law — there is no private right of action (Va. Code § 59.1-584(E)).
What can I do if a company denies my privacy request?
If a company refuses your request, they must explain why within 45 days and tell you how to appeal (Va. Code § 59.1-577(B)(2)). The controller must have a conspicuous appeal process. If the appeal is also denied, the company must provide you a way to contact the Attorney General to file a complaint (Va. Code § 59.1-577(C)).
Does the VCDPA protect my sensitive information like health data or precise location?
Yes — companies must get your consent before processing 'sensitive data,' which includes health diagnoses, racial or ethnic origin, religious beliefs, sexual orientation, immigration status, genetic or biometric data, precise geolocation, and data collected from children (Va. Code § 59.1-578(A)(5)). Note that health records already covered by HIPAA are generally exempt from the VCDPA entirely.