Virginia Consumer Data Protection Act

What is the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) is Virginia's comprehensive consumer privacy law, signed in March 2021 and effective from January 1, 2023. It was the second comprehensive state privacy law to take effect in the United States, after the CCPA, and established the template that several other states later followed.

Under the VCDPA, Virginia residents have the right to access, correct, delete, and obtain copies of their personal data, as well as opt out of targeted advertising, the sale of personal data, and certain profiling activities. Controllers covered by the law must provide a clear privacy notice, honor consumer rights requests, and obtain opt-in consent before processing sensitive data.

Who does the VCDPA apply to?

The VCDPA applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and meet one of two thresholds during a calendar year:

• Control or process the personal data of at least 100,000 Virginia consumers.
• Control or process the personal data of at least 25,000 Virginia consumers and derive over 50% of gross revenue from the sale of personal data.

The law focuses on businesses with significant Virginia consumer data activity. It is narrower in scope than the CCPA: the VCDPA does not include a general revenue threshold, so a high-revenue business with limited Virginia data activity may fall outside the law. Government entities, financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA-covered entities, and nonprofit organizations are exempt under Section 59.1-576.

VCDPA and Clickwrap Agreements

The VCDPA imposes a two-track consent model that depends on the type of data being processed. Unlike the GDPR, which requires opt-in consent for nearly all personal data processing, the VCDPA reserves opt-in only for sensitive categories. For most personal data, controllers may rely on opt-out rights and a clear privacy notice. For sensitive data, controllers must obtain opt-in consent through a clear affirmative act before processing begins. This bifurcated structure shapes how clickwrap flows must be designed for Virginia residents, and the obligations are enforced exclusively by the Virginia Attorney General under Section 59.1-584.

How VCDPA Affects Clickwrap Design

Section 59.1-578(A)(5) sets out the VCDPA's central rule for sensitive data: a controller may not process sensitive data without first obtaining the consumer's consent. Consent under the VCDPA must meet the Section 59.1-575 definition, which requires a clear affirmative act that is freely given, specific, informed, and unambiguous. Acceptance of a general terms of service does not, on its own, satisfy that standard. A clickwrap that bundles sensitive data consent into a broader Terms acceptance will fail under the VCDPA even if the user clicked to accept.

The opt-in requirement reaches a broad list of sensitive data categories, including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify an individual, precise geolocation, and personal data collected from a known child. For each of these categories, the clickwrap interface needs to present a distinct consent mechanism with notice tied specifically to the sensitive data being processed.

For non-sensitive personal data, the VCDPA relies primarily on disclosures and opt-out rights rather than affirmative consent. Section 59.1-578(A)(1) requires controllers to provide a reasonably accessible, clear, and meaningful privacy notice, and Section 59.1-577 grants consumers the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. The opt-out mechanism cannot be hidden behind clickwrap acceptance. It must be available as a standalone control, accessible without first accepting any other terms.

Effective January 1, 2025, controllers must also recognize universal opt-out preference signals such as the Global Privacy Control. A clickwrap or website that ignores GPC headers will be non-compliant for the targeted advertising and sale opt-outs, even if the user has not interacted with any in-product opt-out control.

Section 59.1-580 introduces a separate operational requirement that affects clickwrap design indirectly. Controllers must conduct a data protection assessment before processing sensitive data, processing for targeted advertising, selling personal data, or engaging in any processing that presents a heightened risk of harm to consumers. The assessment must be documented and made available to the Attorney General on request, which means clickwrap-driven processing decisions need to be supported by underlying compliance documentation.

What Must Be Shown Under VCDPA

Section 59.1-578 requires controllers to provide a reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories of personal data processed by the controller.
• The purpose for processing each category of personal data.
• How consumers may exercise their rights, including the right to access, correct, delete, obtain a copy of, and opt out of certain processing.
• The categories of personal data shared with third parties, if any.
• The categories of third parties with whom personal data is shared.
• An active email address or other online mechanism the consumer can use to contact the controller.

The notice must be available before or at the point of collection. In a clickwrap context, this means the privacy notice or a clearly labeled link to it must appear within the agreement flow rather than only in a footer or settings page.

Section 59.1-578(A)(4) imposes an additional disclosure requirement for sales of personal data and targeted advertising. Where a controller sells personal data or engages in targeted advertising, the privacy notice must clearly and conspicuously disclose that activity along with the consumer's right to opt out.

What Records You Must Keep Under VCDPA

The VCDPA does not establish a single retention schedule for clickwrap consent logs, but several provisions effectively require controllers to maintain documentation sufficient to demonstrate compliance with consent, opt-out, and data protection assessment obligations.

Controllers should keep records of:

• Sensitive data consent events - The exact notice presented, the timestamp, the user identifier, the categories of sensitive data covered, and the consent mechanism used.
• Opt-out requests - Whether the request applied to targeted advertising, the sale of personal data, or profiling, when the request was received, and when it was processed.
• Universal opt-out signal handling - Documentation showing how the controller detects and honors signals such as the Global Privacy Control, including the date and scope of any opt-out.
• Privacy notice versions - The full text of each privacy notice version, the date it was published, and the URL or screen at which it was presented in the clickwrap flow.
• Data protection assessments - Each Section 59.1-580 assessment, the processing activity it covers, the date completed, and the risk-mitigation measures adopted.
• Clickwrap acceptance records - The agreement version, the timestamp, the user identifier, the IP address, and the interface presented at the moment of acceptance.

Records become particularly important now that the VCDPA's 30-day cure period has sunset. Before January 1, 2025, controllers had a statutory right to cure violations after a notice from the Attorney General. With the cure period gone, the Attorney General may proceed directly to enforcement, and a documented record of how consent was obtained, opt-outs were honored, and assessments were completed is often the only basis on which a controller can defend its practices.