US State Privacy Laws – Virginia CDPA and Comparable State-Level Privacy Legislation
Overview of Virginia CDPA and comparable US state privacy laws introducing consumer rights and business obligations inspired by GDPR principles.
Summary
In the absence of a comprehensive US federal privacy law, several US states have enacted their own privacy statutes. The Virginia Consumer Data Protection Act (VCDPA) took effect January 1, 2023, and is among the most significant. Similar frameworks have been enacted in Colorado, Connecticut, Utah, Texas, Florida, Oregon, and others.
- Consumer rights: Access, correction, deletion, data portability, and opt-out of profiling.
- Transparency: Businesses must provide clear privacy notices.
- Consent: Opt-out for data sales and targeted advertising; opt-in for sensitive data processing.
- Data protection assessments: Required for certain high-risk processing activities.
History
The development of state-level privacy laws was largely catalyzed by the California Consumer Privacy Act (CCPA, 2018) and its successor, the California Privacy Rights Act (CPRA, 2020). Virginia enacted the VCDPA in March 2021, becoming the second state after California to pass a comprehensive privacy law.
A "state privacy law boom" followed: Colorado (CPA, July 2023), Connecticut (CTDPA, July 2023), Utah (UCPA, December 2023), Texas (TDPSA, July 2024), Florida (FDBR, July 2024) and others. These laws differ significantly in thresholds, exemptions, enforcement mechanisms, and consumer rights. The patchwork has increased pressure on Congress to enact uniform federal legislation.
The VCDPA itself has been amended multiple times since enactment. Before taking effect, 2022 pre-effective amendments (HB 381, HB 714, SB 534) introduced a deletion right exemption, redefined nonprofit applicability, and abolished the Consumer Privacy Fund. In May 2024, the Governor signed a children's data protection amendment (SB 361/HB 707), effective January 1, 2025. Reproductive and sexual health data protections took effect on July 1, 2025. Additionally, SB 854 introduced social media restrictions for minors (effective January 1, 2026), with the Virginia Attorney General announcing enforcement intent in February 2026.
Scope
The VCDPA applies to businesses operating in Virginia or offering products/services to Virginia residents that meet at least one of the following thresholds:
- Process personal data of at least 100,000 consumers per year, or
- Process data of at least 25,000 consumers and derive more than 50% of gross revenue from data sales.
Exempt entities include state government bodies, nonprofits (with limitations), financial institutions under GLBA, and healthcare entities under HIPAA. Special categories of sensitive data (health, biometric, genetic, race/ethnicity, religion, precise geolocation, children's data) are subject to heightened requirements.
Key Requirements
- Privacy notice: Clear disclosure of data categories, purposes, consumer rights, and contact information.
- Right to access: Consumers may confirm whether and what personal data is being processed.
- Right to correct: Correction of inaccurate personal data.
- Right to delete: Deletion of personal data provided or collected by the controller.
- Right to portability: Receipt of a machine-readable copy of personal data.
- Opt-out right: Objection to data sales, targeted advertising, and certain profiling activities.
- Data protection assessment: Mandatory for targeted advertising, data sales, profiling with significant effects, sensitive data, and certain other activities.
- Processor contracts: Written data processing agreements required.
- Enforcement: Exclusively by the Virginia Attorney General; civil penalties up to $7,500 per intentional violation and up to $2,500 per unintentional violation. Each affected consumer constitutes a separate violation.