Virginia Consumer Data Protection Act
Virginia CDPA
Data last verified: March 23, 2026
- Effective Date
- January 1, 2023
- Enforcement Date
- Not specified in statute
Summary
Virginia CDPA provides consumers the right to opt out of profiling for decisions with significant effects and requires data protection assessments for profiling activities.
Who It Applies To
Applies to businesses processing data of 100,000+ VA consumers, or 25,000+ consumers if 50%+ revenue from data sales.
- Min Consumers:
- 100,000
Any threshold triggers applicability
Penalties
- Penalty Range
- $0 – $7,500per violation
- Cure Period
- 30-day cure period
- Private Right of Action
- No private right of action
- Enforcement Body
- Virginia Attorney General (exclusive)
Requirements (3)
- Opt-OutVa. Code Ann. § 59.1-577(A)(5)(iii)
This law provides consumers the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
- Impact AssessmentVa. Code Ann. § 59.1-580(A)
This law requires controllers to conduct data protection assessments for processing activities involving profiling, targeted advertising, sale of personal data, or sensitive data.
- ConsentVa. Code Ann. § 59.1-578(A)(5)
This law prohibits controllers from processing sensitive data concerning a consumer without obtaining the consumer's consent.
Claire tracks 31 state and local AI laws across 23 US states. No prescriptive federal AI compliance statutes have been enacted. EU AI Act and sector-specific regulations are not covered.
Check if this law applies to your business