State Privacy Laws: Virginia

Virginia Consumer Data Protection Act (VCDPA)

Overview

Virginia was the second state, after California, to enact a comprehensive consumer data privacy law. Due to being an early adopter, the Virginia Consumer Data Protection Act is similar to the CCPA and GDPR.

Key Dates

  • Signed into law: March 2, 2021
  • Effective date: January 1, 2023

Thresholds

The VCDPA applies to persons that either conduct business in the commonwealth or produce products or services that are targeted to residents of the commonwealth and that:

  • control or possess the personal data of at least 100,000 consumers in a calendar year, or
  • control or possess the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

Consumer Rights

  • The right to confirm if a controller is actually processing their personal data.
  • The right to correct inaccuracies in the consumer’s personal data that is collected by thecontroller.
  • The right to delete personal data provided by or obtained about the consumer.
  • The right to obtain copies of the personal data collected by the controller.
  • The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or further profiling.

Sensitive Data

The VCDPA defines sensitive data as a category of personal data that includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal data collected from a known child; or
  • Precise geolocation data.

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for VCDPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. VCDPA in Virginia). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like VCDPA in Virginia).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Implied
  • Blocking Mode: Strict
  • Google Consent Mode V2: Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Enabled
  • Enable Do Not Sell Consent: Enabled
  • Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.