VCDPA: Guide to Requirements + Website Compliance

TL;DR

• What is the VCDPA? The Virginia Consumer Data Protection Act is a privacy law that grants Virginia residents certain rights over their personal information. It became the second state-level privacy law in the U.S. after California and took effect on January 1, 2023.
• Who does the VCDPA apply to? The VCDPA applies to organizations that do business in Virginia or target Virginia residents and either (a) control or process personal data of at least 100,000 consumers annually or (b) control or process data of at least 25,000 consumers while deriving over 50% of gross revenue from selling personal data.
• What are the common causes of VCDPA compliance failures? Most failures arise from processing sensitive data without explicit consent, not responding to consumer rights requests within given timelines, or lackluster privacy disclosures. Lack of visibility into third-party script behavior on websites can also trigger violations.
• How do I make my website compliant with VCDPA: Maintain an accurate privacy policy, obtain consent before processing personal data, honor data requests, and monitor third party processors on your website with a tool like cside.

Companies need data to grow. Unfortunately, this results in consumers having sensitive data processed without their consent. This happens more frequently due to technical misconfigurations rather than unethical intentions from a company.

Governments across the globe are taking note and bringing in laws to make data collection clear and transparent. Like several states in the US, Virginia has also come up with a privacy law designed to be business-friendly while protecting consumers. 

With a simple aim to put people in charge of their data, the Virginia Consumer Data Protection Act is important for any organization conducting business in this state. This article sheds light on what the Virginia Data Protection Act is, its key requirements, and why you cannot ignore client-side security to be truly compliant.

What is the Virginia Consumer Data Protection Act?

The Virginia Consumer Data Protection Act (VCDPA) is a US state privacy law that grants Virginia residents a number of rights over their personal information. Governor Ralph Northam signed it into law on March 2, 2021 and it became effective on January 1, 2023.

It is based on the premise that if you don't have a specific, disclosed reason to hold data, you shouldn't have it at all.

Virginia residents now possess specific, enforceable rights over their digital footprint:

• The Right to Control: Consumers can access, correct or delete their personal data at will
• The Right to Exit: Companies must provide a simple mechanism for users to opt out. That opt out includes targeted advertising, data sales and automatic profiling

Under VCDPA, organizations require explicit consent to collect health, religion, biometrics and precise geolocation by default; it requires explicit and affirmative consent.

Individual citizens do not have a right of action under the VCDPA. The Virginia Attorney General holds the authority to enforce penalties. Penalties can range up to $7,500 per violation.

Does the VCDPA Apply to My Company? (Self Assessment)

The VCDPA applies to your organization if you meet the following criteria:

1. You conduct business in Virginia or produce products or services that target Virginia residents.
2. You meet one of two data processing thresholds: (a) control or process personal data of at least 100,000 consumers during a calendar year, or (b) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from selling personal data.

Unlike California's CCPA, the VCDPA does not include a revenue-only threshold. A company's gross annual revenue alone does not determine applicability. The thresholds focus entirely on data processing volume and revenue derived specifically from data sales.

• consumer refers to a person who is a Virginia resident acting in an individual or household context.
• personal data refers to any information linked or reasonably linkable to an identified or identifiable natural person. This excludes de-identified data and publicly available information

VCDPA Exemptions 

Some entities are exempt from VCDPA requirements altogether.

• State agencies, political subdivisions and bodies of Virginia government
• Financial institutions subject to the Gramm-Leach-Bliley Act
• Covered entities and business associates governed by HIPAA
• Nonprofit organizations (including political organizations per recent amendments)
• Institutions of higher education

What Are the Main VCDPA Requirements?

Provide clear privacy notices

Controllers (organizations) must display a privacy notice that is reasonably accessible. The notice must disclose the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, the categories of data shared with third parties and the categories of those third parties.

If a controller sells personal data or processes it for targeted advertising, this must be clearly disclosed along with instructions on how consumers can opt out.

Obtain consent before processing sensitive data

The VCDPA prohibits processing sensitive data without obtaining explicit consumer consent. “Implied consent” does not meet the standard.

For data collected from known children under 13, controllers must comply with the federal Children's Online Privacy Protection Act (COPPA) requirements. Amendments to the VCDPA effective January 1, 2025 added further restrictions on processing children's data for targeted advertising, profiling and other purposes without parental consent.

Respond to consumer rights requests within 45 days

After a consumer submits a request to exercise their rights, controllers must respond within 45 days. One 45-day extension is permitted when reasonably necessary due to the technical complexity or a high number of requests, but the consumer must be notified within the original period. 

Responses must be free of charge up to twice annually per consumer. If a controller declines a request, they must explain why and provide instructions for appealing. Appeals must be decided within 60 days. If an appeal is denied, the controller must provide a method for the consumer to contact the Attorney General.

Enable opt-out from sales, targeted advertising and profiling

Consumers have the right to opt out of processing for targeted advertising, the sale of personal data and profiling that produces legal or similarly significant effects. 

Controllers must provide a functional mechanism to honor these requests. The organization remains in violation if tracking scripts or pixels continue to transmit data after a consumer opts out.

Establish contracts with data processors

Controllers must have written contracts with any processors handling data on their behalf. This includes website data processors such as chatbots, analytics or marketing tools. Agreements must specify the nature and purpose of processing, the type of data involved, the duration of processing and the rights and obligations of both parties.

Most major vendors (like Meta, Google Ads, Clouflare) have standardized DPAs that you can find on their website.

Hidden Website Privacy Violation Risks for VCDPA

The most overlooked risk surface for VCDPA compliance is your website. Modern sites load a mix of code written internally along with code from third-party vendors (3rd party scripts). Those 3rd party scripts pull in more scripts (sub processors). Every single one of these scripts adds security and privacy risk to your website. Through misconfiguration or malicious code injections they compromise personal data.  

Third-party scripts are a VCDPA compliance risk

Marketing pixels, analytics tools and social widgets are standard on most commercial websites. Each script might collect IP addresses, device identifiers, browsing behavior and form inputs. 

Under the VCDPA, the organization deploying these scripts is the controller. 

You violate compliance if these scripts collect more data than disclosed in your privacy notice. If they continue collecting after a consumer opts out, you are also out of compliance. Most organizations have no way of knowing whether their scripts behave as expected.

Javascript injections are a VCDPA data breach risk 

Beyond compliance, client-side code presents security risks. For instance,

1. Malicious or compromised scripts can skim personal data directly from the browser
2. A poisoned library update or injected tag can expose consumer information without being seen by server-side security controls.

The VCDPA requires controllers to maintain reasonable security practices. An organization that deploys unmonitored third-party code and suffers a client-side breach will struggle to show that they took appropriate precautions. 

Cookie banners alone cannot ensure VCDPA compliance

Consent management platforms are important in website privacy compliance but are only one piece of the puzzle. A cookie banner can collects consent preferences, but they have limited enforcement ability. 

CMPs can break down if they are not properly integrated with Google Tag Manager or other analytics tools. Furthermore CMPs are not built to protect against client-side attacks, where “trusted” 3rd party scripts are hijacked and bypass consent settings entirely.

Common VCDPA Compliance Failures

Processing sensitive data without consent

The most direct violation occurs when organizations process sensitive data without explicit opt-in consent. This includes geolocation data, health-related information, biometric identifiers and data from known children. Many websites collect this information through scripts without realizing the consent implications.

For example, a healthcare website using a Meta pixel may inadvertently transmit information about which condition pages a user visits. That behavioral data qualifies as sensitive health information requiring explicit consent before it can be ‘shared’.

Privacy notices that do not match actual practices

Controllers must ensure their privacy disclosures accurately describe what data is collected, why and with whom it is shared.  These practices can drift from what the privacy notice states when third-party scripts change or new tags are added by marketing teams.

The violation is unquestionably yours if a script on your site shares data with an undisclosed party.

Opt-out mechanisms that fail to function

Privacy notices may promise consumers the right to opt out of data sharing only to fail when a real consumer request comes through.

The California Attorney General's enforcement action against Sephora illustrated this risk. The company stated that users could opt out of data sales but continued sending data to advertising partners. Regulators treated this as a denial of consumer rights. The same enforcement logic applies under the VCDPA.

Missing or inadequate data protection assessments

Organizations that process personal data for targeted advertising, sell data or handle sensitive information must document data protection assessments. Many organizations skip this requirement or produce assessments that fail to meaningfully analyze risks.

The Attorney General can request these documents during an investigation. An organization that cannot produce adequate assessments faces an uphill battle demonstrating compliance.

Failure to meet response deadlines

Consumer rights requests must be answered within 45 days and appeals must be resolved within 60 days. Organizations without efficient intake and response systems might miss these deadlines. A pattern of late or ignored requests signals systemic non-compliance.

Official VCDPA Resources and Government Links

• Virginia Attorney General, VCDPA Summary: The official summary from the Office of the Attorney General explaining consumer rights, business obligations and enforcement procedures
• Code of Virginia, Chapter 53: The complete text of the law including all definitions, consumer rights, controller duties and enforcement rules
• Virginia Consumer Protection Hotline: 1-800-552-9963 (within Virginia) or (804) 786-2042 (Richmond area and outside Virginia). Business hours: 8:30 a.m. to 5:00 p.m., Monday through Friday

VCDPA Timeline

• March 2, 2021: Governor Ralph Northam signed the Virginia Consumer Data Protection Act into law
• January 1, 2023: The VCDPA became effective. Enforcement by the Virginia Attorney General began. Data protection assessment requirements became applicable for new processing activities
• January 1, 2025: Amendments regarding children's data took effect and mandated parental consent before processing known children's personal data for targeted advertising, profiling and other specified purposes

January 1, 2026: Additional amendments related to social media time limits for minors under 16 take effect

How cside Helps Organizations Achieve VCDPA Compliance

cside Privacy Watch catches hidden website privacy violations by monitoring browser-layer signals, which traditional compliance tools ignore. cside provides a clear view of which scripts operate on your website, what data they access and where that data goes. This lets you verify that actual data collection practices match your  privacy disclosures

• Third-party code on your website frequently changes. cside surfaces changes in third-party tools as they happen and lets you identify unnecessary data collection before it creates compliance risk.
• cside monitors for suspicious script behavior that indicate a client-side attack is targeting your website visitor data
• Client-side requirements for transparency, purpose limitation, and security safeguards are automated with dashboards and automated evidence.

You can start with cside's free plan or book a demo to learn more about meeting the client-side requirements of state privacy laws like the VCDPA.