Virginia Privacy Policy Laws
Virginia’s privacy laws help regulate how certain businesses collect, use, and share residents’ personal data. These laws are intended to increase transparency and give consumers more control over their information. If your personal information was exposed in a data breach, you may have legal options depending on the facts of your situation and the laws that apply. Class Action U can help connect you with an attorney to discuss your circumstances.
- April 10, 2026
- The Virginia Consumer Data Protection Act (VCDPA)
- Key Requirements for Privacy Policies Under Virginia Law
- Comparison Between Virginia Privacy Laws and Other States
- Civil Penalties Under the VCDPA
- Notable Data Breach Lawsuit in Virginia
- How Can a Data Breach Lawyer Help
- Our Partners Data Breach Settlements
- Consult a Data Breach Lawyer in Virginia
The Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act (VCDPA) is a state privacy law that gives Virginia residents certain rights regarding their personal data and imposes obligations on covered businesses. In general, the law applies only to businesses that meet certain statutory thresholds.
The VCDPA grants Virginia residents several rights regarding their personal data, including the following:
- Right to Access: Consumers can confirm whether a business is processing their personal data and access that data.
- Right to Correct: Consumers can request correction of inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing.
- Right to Delete: Consumers can request deletion of personal data provided by or obtained about them, subject to applicable exceptions.
- Right to Data Portability: Consumers can obtain a copy of personal data they previously provided to the business in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out: Consumers can opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
In addition to these consumer rights, covered businesses under the VCDPA generally must:
- Provide a clear and meaningful privacy notice
- Limit collection and use of personal data to what is adequate, relevant, and reasonably necessary for disclosed purposes
- Maintain reasonable administrative, technical, and physical data security practices
- Obtain consent before processing sensitive data in many circumstances
- Establish a process for consumers to appeal certain refusals to act on privacy requests
- Honor verified consumer requests in accordance with the law
Key Requirements for Privacy Policies Under Virginia Law
Privacy policies under the VCDPA should clearly describe a covered business’s data practices and explain consumers’ rights under Virginia law.
Consumer Rights Under the VCDPA
Virginia residents have the right to access, correct, and delete certain personal data, as well as to obtain a portable copy of certain data and opt out of targeted advertising, the sale of personal data, and certain profiling activities.
Transparency in Data Collection and Use
Covered businesses are generally required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. This notice should explain the categories of personal data processed, the purposes for processing, how consumers may exercise their rights, the categories of personal data shared with third parties, and the categories of third parties with whom data is shared.
Data Minimization and Purpose Limitation
Businesses subject to the VCDPA must limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer. They also must avoid processing personal data for purposes that are neither reasonably necessary nor compatible with those disclosed purposes unless they obtain consumer consent where required.
Comparison Between Virginia Privacy Laws and Other States
Virginia’s privacy laws differ from those of other states in several ways. For example, under the VCDPA, residents have explicit rights to access, correct, and delete their data, as well as opt out of targeted advertising, sale, or profiling. However, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) focus on the right to know what data is collected, sold, or shared, with limited correction rights.
Both Virginia and California laws mandate transparency about data practices. However, Virginia’s VCDPA goes further by enforcing data minimization and purpose limitation, ensuring only necessary data is collected for specific uses. In contrast, California laws primarily emphasize notice and disclosure.
Penalties for Non-Compliance With Virginia Privacy Laws
Under Virginia law, the Virginia Attorney General has enforcement authority over the VCDPA. The law does not create a private right of action for consumers under the VCDPA itself.
If the Attorney General determines that a covered business has violated the VCDPA, the business may face enforcement action, including civil penalties of up to $7,500 per violation, along with injunctive relief and recovery of reasonable expenses incurred in investigating and preparing the case, including attorney fees.
Civil Penalties Under the VCDPA
Businesses that violate the VCDPA may face civil penalties of up to $7,500 per violation. The enforcement process may include several steps:
- Investigation: The Virginia Attorney General may investigate whether a business’s privacy practices comply with the law.
- Issuing of penalties: If the Attorney General brings an action and proves violations, the court may impose civil penalties and other appropriate relief.
- Opportunity to remedy violations: The law provides a 30-day cure period after written notice from the Attorney General before an action may be initiated, if the business cures the violation and provides an express written statement that the alleged violations have been cured and that no further violations will occur.
Notable Data Breach Lawsuit in Virginia
Several notable data breaches have occurred in Virginia, greatly affecting consumers and their privacy.
Virginia v. Kroger (Point‑of‑Sale Data Breach Lawsuit)
This lawsuit involved a major retailer whose point-of-sale system was breached, exposing personal data of Virginia consumers and prompting enforcement action.
Virginia Attorney General v. Dollar Tree
The Virginia Attorney General brought legal action against Dollar Tree for inadequate data security practices that resulted in consumer harm.
Virginia v. Equifax
In one of the most significant data breach cases affecting Virginia residents, Virginia v. Equifax was part of the nationwide litigation over the Equifax breach, which exposed sensitive personal information and led to substantial settlements and reforms to strengthen consumer data protection.
New cases and investigations, settlement deadlines, and news straight to your inbox.
How Can a Data Breach Lawyer Help
If your personal information has been exposed, a data breach attorney can support your case in several pivotal ways, including the following:
- Guiding you through a data privacy claim
- Evaluating potential damages
- Pursuing compensation from the responsible companies
Organizations like Class Action U focus on connecting victims with experienced attorneys who handle data breach and privacy cases. Knowledgeable legal support and effective representation are key to a successful claim.
Our Partners Data Breach Settlements
- Milberg and its affiliates have recovered more than $50 billion for plaintiffs while helping shape a new era of corporate transparency and accountability.
- KO Lawyers recovered over $1,000,000,000 in class action suits.
Consult a Data Breach Lawyer in Virginia
If you have received a notification of a data breach and are not sure what your next steps are, do not wait to reach out today. Our seasoned professionals can connect you with a legal advocate who knows how to navigate data breach cases in Virginia. Schedule a free non-obligatory consultation to discuss the details of your case and to determine whether you have a valid claim.
New cases and investigations, settlement deadlines, and news straight to your inbox.