Virginia VCDPA

United States

15 domains

32 controls

Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq., effective 1 Jan 2023).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (15)

Children

1 controls

Controls in the Children domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-578-CHILD	Children Data Processing Alignment with COPPA	Personal data of a known child is sensitive data requiring opt in consent. Processing of sensitive data concerning a kno...

Consumer Rights

9 controls

Controls in the Consumer Rights domain of Virginia VCDPA — 9 controls
Code	Title	Description
VCDPA-59-1-577-A1	Consumer Right to Confirm and Access Personal Data	A consumer has the right to confirm whether a controller is processing their personal data and to access that data. The...
VCDPA-59-1-577-A2	Right to Correct Inaccurate Personal Data	Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal...
VCDPA-59-1-577-A3	Right to Delete Personal Data	Consumers may request deletion of personal data provided by or obtained about them. Unlike CCPA, VCDPA explicitly covers...
VCDPA-59-1-577-A4	Right to Data Portability	Where processing is carried out by automated means consumers may obtain a copy of the personal data they previously prov...
VCDPA-59-1-577-A5-PROFILE	Right to Opt Out of Profiling with Legal or Similarly Significant Effects	Consumers may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects conce...
VCDPA-59-1-577-A5-SALE	Right to Opt Out of Sale of Personal Data	Consumers may opt out of the sale of personal data. Sale is defined narrowly as the exchange of personal data for moneta...
VCDPA-59-1-577-A5-TARGETED	Right to Opt Out of Targeted Advertising	Consumers have the right to opt out of processing of personal data for purposes of targeted advertising, defined as disp...
VCDPA-59-1-578-NONDISCRIM	Nondiscrimination for Rights Exercise	Controllers must not process personal data in violation of state and federal laws that prohibit unlawful discrimination...
VCDPA-GPC	Universal Opt Out and Global Privacy Control	Effective 1 January 2025 controllers must allow consumers to opt out of targeted advertising or sale of personal data th...

Data Governance

1 controls

Controls in the Data Governance domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-578-PURPOSELIMIT	Purpose Limitation and Data Minimization	Controllers must limit the collection of personal data to what is adequate, relevant and reasonably necessary in relatio...

Data Lifecycle

3 controls

Controls in the Data Lifecycle domain of Virginia VCDPA — 3 controls
Code	Title	Description
VCDPA-59-1-581-DEIDENT	Deidentified Data Standards	Deidentified data is data that cannot reasonably be linked to an identified or identifiable natural person or device. A...
VCDPA-59-1-581-PSEUDONYMOUS	Pseudonymous Data Carve Out	The obligations of consumer rights (access, correction, deletion, portability, opt out) do not apply to pseudonymous dat...
VCDPA-RETENTION	Retention Aligned to Purpose	Although VCDPA does not impose a specific retention period, the data minimization and purpose limitation provisions requ...

Enforcement

2 controls

Controls in the Enforcement domain of Virginia VCDPA — 2 controls
Code	Title	Description
VCDPA-59-1-583-CURE-SUNSET	30 Day Cure Period and 2025 Sunset	Prior to initiating an action the AG was required to provide a controller or processor 30 days written notice identifyin...
VCDPA-59-1-584-ENFORCEMENT	Attorney General Exclusive Enforcement	The Attorney General has exclusive authority to enforce VCDPA. There is no private right of action. The AG may seek inju...

Exceptions

1 controls

Controls in the Exceptions domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-582-RESEARCH	Research Data Exception	VCDPA does not restrict a controller's ability to engage in public or peer reviewed scientific or statistical research i...

Processor Management

2 controls

Controls in the Processor Management domain of Virginia VCDPA — 2 controls
Code	Title	Description
VCDPA-59-1-579-PROCESSOR-CONTRACT	Processor Contract Required Elements	Processing by a processor must be governed by a contract between the controller and the processor that sets out instruct...
VCDPA-59-1-579-PROCESSOR-DUTIES	Processor Duties to Assist Controller	A processor must adhere to the controller's instructions and assist the controller in meeting obligations including resp...

Regulatory Updates

1 controls

Controls in the Regulatory Updates domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-AMEND-2023	Subsequent Amendments and Coordination with Federal Law	VCDPA has been amended since enactment to add coverage of child data (HB 707 effective 2025), refine the consumer defini...

Rights Operations

3 controls

Controls in the Rights Operations domain of Virginia VCDPA — 3 controls
Code	Title	Description
VCDPA-59-1-577-AUTH-AGENT	Authorized Agent Requests	A consumer may designate an authorized agent to exercise opt out rights on their behalf. The controller may deny a reque...
VCDPA-59-1-578-APPEAL	Consumer Appeal Process	Controllers must establish a process for consumers to appeal refusal to take action on a request. Within 60 days of rece...
VCDPA-59-1-578-RESPONSE	Response Timing and Authentication	Controllers must respond to consumer requests within 45 days of receipt. The period may be extended once by 45 additiona...

Risk Management

2 controls

Controls in the Risk Management domain of Virginia VCDPA — 2 controls
Code	Title	Description
VCDPA-59-1-579-DPA	Data Protection Assessment Requirement	Controllers must conduct and document a data protection assessment of each of the following processing activities: proce...
VCDPA-59-1-580-DPA-CONTENT	Data Protection Assessment Content and Confidentiality	DPAs must identify and weigh the benefits that may flow from the processing to the controller, consumer, other stakehold...

Roles and Responsibilities

1 controls

Controls in the Roles and Responsibilities domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-575-DEF	Controller and Processor Definitions	A controller is the natural or legal person that determines the purpose and means of processing personal data. A process...

Scope and Applicability

2 controls

Controls in the Scope and Applicability domain of Virginia VCDPA — 2 controls
Code	Title	Description
VCDPA-59-1-576	Applicability Threshold for Controllers	VCDPA applies to persons that conduct business in Virginia or produce products or services targeted to Virginia resident...
VCDPA-59-1-576-EXEMPT	Entity and Data Level Exemptions	VCDPA exempts certain entities including state agencies, financial institutions subject to GLBA, covered entities and bu...

Security

1 controls

Controls in the Security domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-578-SECURITY	Reasonable Data Security Practices	Controllers must establish, implement and maintain reasonable administrative, technical and physical data security pract...

Sensitive Data

1 controls

Controls in the Sensitive Data domain of Virginia VCDPA — 1 controls
Code	Title	Description
VCDPA-59-1-578-SENSITIVE-OPTIN	Sensitive Data Opt In Consent	Controllers must not process sensitive data without obtaining the consumer's freely given, specific, informed and unambi...

Transparency

2 controls

Controls in the Transparency domain of Virginia VCDPA — 2 controls
Code	Title	Description
VCDPA-59-1-578-OPTOUT-DISCLOSURE	Disclosure of Sale and Targeted Advertising Activities	If a controller sells personal data to third parties or processes personal data for targeted advertising the controller...
VCDPA-59-1-578-PRIVACYNOTICE	Privacy Notice Content Requirements	Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes categ...

Frequently Asked Questions

What is Virginia VCDPA?

Virginia VCDPA is a compliance framework from United States with 15 domains and 32 controls. Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq., effective 1 Jan 2023). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Virginia VCDPA have?

Virginia VCDPA has 32 controls organised across 15 domains. The largest domains are Consumer Rights (9 controls), Data Lifecycle (3 controls), Rights Operations (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Virginia VCDPA map to?

Virginia VCDPA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Virginia VCDPA compliance?

Start your Virginia VCDPA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Virginia VCDPA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required