Privacy Laws in Virginia: What You Need to Know

Virginia was the second state in the nation to pass a comprehensive consumer privacy law, and it remains one of the strongest frameworks for personal data protection in the United States. The Virginia Consumer Data Protection Act (VCDPA) gives residents meaningful control over how businesses collect, use, and sell their personal information. Here is what you need to know about your rights under Virginia law in 2026.

The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA, codified at Va. Code sections 59.1-575 through 59.1-585, was signed into law in March 2021 and took effect on January 1, 2023 — making Virginia only the second state after California to enact a comprehensive consumer privacy statute. Unlike California's approach, which evolved through multiple ballot initiatives and amendments, Virginia's law was crafted as a single legislative package with clear definitions and a streamlined enforcement model.

The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted at Virginia residents and meet at least one of the following thresholds:

• Process personal data of 100,000 or more consumers during a calendar year, or
• Process personal data of 25,000 or more consumers and derive more than 50% of gross revenue from the sale of personal data.

Notably, the VCDPA does not include a revenue threshold like California's CCPA. The scope is determined entirely by data processing volume and revenue source, meaning that even smaller companies that deal heavily in personal data may be covered.

Your Rights Under the VCDPA

As a Virginia resident, you have the following rights with respect to your personal data:

Right to Know and Access

You can confirm whether a business is processing your personal data and request access to the specific data they hold about you. Businesses must respond to your request within 45 days.

Right to Delete

You can request that a business delete the personal data they have collected from you or about you. There are limited exceptions, such as data needed to complete a transaction or comply with a legal obligation.

Right to Correct

If a business holds inaccurate personal data about you, you have the right to request that they correct it.

Right to Data Portability

You can request a copy of your personal data in a portable, readily usable format so that you can transfer it to another service provider without hindrance.

Right to Opt Out

Virginia law gives you the right to opt out of three specific types of data processing:

• Targeted advertising — ads based on personal data collected from your activities across different websites and services.
• Sale of personal data — the exchange of your personal data for monetary consideration.
• Profiling — automated processing that produces legal or similarly significant effects on you, such as decisions about employment, credit, or insurance.

Right to Non-Discrimination

Businesses cannot penalize you for exercising any of your privacy rights. They cannot deny you goods or services, charge you different prices, or provide a lesser quality of service because you chose to opt out or request deletion.

Sensitive Data Requires Your Consent

The VCDPA treats certain categories of personal data as sensitive, meaning businesses must obtain your explicit consent before collecting or processing them. Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or conditions
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes
• Personal data from a known child
• Precise geolocation data

This consent requirement is an important safeguard. Companies cannot collect your health records, biometric scans, or information about your children without affirmatively asking for and receiving your permission first.

Data Protection Assessments

The VCDPA requires businesses to conduct data protection assessments before engaging in certain higher-risk processing activities. These assessments apply to:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling where there is a risk of harm to consumers
• Processing sensitive data
• Any processing activities that present a heightened risk of harm to consumers

These assessments must weigh the benefits of the processing against the potential risks to consumers, and they must be made available to the Attorney General upon request.

2026 Updates: Social Media Protections for Minors

Virginia has continued to strengthen its privacy framework beyond the original VCDPA. Effective January 1, 2026, new social media restrictions specifically protect minors under 16:

• One-hour daily limit: Social media platforms must enforce a default daily usage limit of one hour for users under 16.
• Neutral age screening: Platforms must implement age verification mechanisms that are neutral and do not rely on users self-reporting their age.
• Restricted features: Certain addictive design features — such as auto-play, push notifications during school hours, and infinite scrolling — are limited for minor users.

These protections reflect a growing national trend toward shielding children from the privacy and safety risks of social media, and Virginia is among the states leading this effort.

Enforcement: The Attorney General's Exclusive Authority

Unlike some state privacy laws that allow consumers to sue companies directly, the VCDPA grants exclusive enforcement authority to the Virginia Attorney General. There is no private right of action under the law. This means that if you believe a company has violated your rights, your recourse is to file a complaint with the AG's office rather than pursue a private lawsuit.

While this limits individual legal action, it also means enforcement is centralized and consistent. The AG's office has the authority to investigate complaints, issue civil investigative demands, and pursue civil penalties of up to $7,500 per violation against non-compliant businesses.

How the VCDPA Compares to Other State Laws

Virginia's privacy law shares similarities with both California's CCPA/CPRA and other state frameworks, but there are important differences:

• No private right of action: Unlike California, Virginia residents cannot sue companies directly for privacy violations.
• No revenue threshold: California's CCPA applies to businesses with annual revenue over $25 million. Virginia's law focuses solely on data processing volume.
• Opt-in consent for sensitive data: Virginia requires affirmative consent before processing sensitive data, while California allows consumers to opt out after the fact.
• Cleaner legislative structure: The VCDPA was enacted as a single, cohesive statute rather than the layered approach of California's CCPA plus CPRA amendments.

How to Protect Your Privacy Today

Virginia's privacy law gives you meaningful rights, but exercising them across every company that holds your data is a significant undertaking. Here is how to get started:

1. Search for yourself online. Look up your name on Google and popular people search sites to see what personal data is publicly available.
2. Submit opt-out and deletion requests. Use the privacy links on company websites to opt out of data sales and targeted advertising, and request deletion of data you do not want them to hold.
3. File complaints when companies do not respond. If a business ignores or denies your request without valid reason, file a complaint with the Virginia Attorney General.
4. Use PrivacyOn to automate the process. Manually contacting hundreds of data brokers is time-consuming and requires ongoing monitoring since brokers frequently re-list your information. PrivacyOn removes your data from over 100 data broker sites, monitors for re-listings, and includes dark web monitoring to alert you if your information surfaces in places you cannot reach on your own.

Virginia's VCDPA is a powerful tool for protecting your personal information, but laws alone cannot eliminate the vast ecosystem of data brokers and people search sites that trade in your data every day. Combining your legal rights with a service like PrivacyOn ensures that your information stays private — not just in theory, but in practice.