Compliance Briefing — January 1, 2023
Virginia’s Consumer Data Protection Act is now enforceable, granting residents rights to access, delete, and correct personal data and requiring controllers to perform data protection assessments.
Executive briefing: The Virginia Consumer Data Protection Act (VCDPA) took effect on 1 January 2023. Controllers operating in or targeting Virginia must honour consumer rights, provide clear privacy notices, secure opt-in consent for sensitive data, and conduct documented data protection assessments for targeted advertising, profiling, and high-risk processing.
Key compliance checkpoints
- Consumer rights operations. Implement mechanisms to verify identity and respond to access, correction, deletion, and portability requests within 45 days.
- Opt-out signals. Enable opt-outs for targeted advertising, personal data sales, and profiling with legal or similar significant effects.
- Data protection assessments. Maintain assessments covering purpose, benefits, risks, and safeguards for high-risk processing activities.
Operational priorities
- Privacy notices. Update disclosures to list processed data categories, purposes, third-party sharing, and rights exercise instructions per §59.1-574.
- Processor contracts. Amend agreements with processors to include confidentiality, audit, and deletion requirements.
- Appeals process. Establish consumer appeal procedures and escalation to the Attorney General if requests are denied.
Enablement moves
- Align VCDPA controls with CPRA, CDPA (Colorado), and GDPR frameworks to streamline multi-state privacy compliance.
- Deploy intake portals and ticketing systems to manage rights requests and deadlines.
- Document governance oversight via privacy boards or steering committees to evidence accountability.
Sources
- Virginia Code Title 59.1, Chapter 53 (Consumer Data Protection Act)
- Virginia Attorney General VCDPA guidance
Zeph Tech delivers privacy program assessments, rights automation, and processor governance tailored to VCDPA obligations.