Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA), codified at Va. Code Ann. § 59.1-571 et seq., took effect January 1, 2023, making Virginia the second U.S. state to enact a comprehensive privacy law. It applies to controllers that process personal data of 100,000+ Virginia consumers annually, or 25,000+ consumers while deriving over 50% of revenue from data sales. The VCDPA grants consumers five core rights: access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions with legal or similarly significant effects. Unlike CCPA, the VCDPA has no private right of action — enforcement rests exclusively with the Virginia Attorney General.

Engineering obligations under the VCDPA concentrate on data mapping and consent signal processing. Controllers must conduct and document Data Protection Assessments (DPAs) before processing sensitive data — defined to include health data, precise geolocation, racial or ethnic origin, religious beliefs, and data concerning children — or before processing for targeted advertising, sale, or high-risk profiling (§ 59.1-578). Processors must enter Data Processing Agreements (DPAs) with controllers, specifying processing instructions, confidentiality obligations, subprocessor requirements, audit rights, and deletion/return obligations. Systems must honor opt-out requests within 45 days, extendable by an additional 45 days with notice. Universal Opt-Out Mechanisms (UOOMs) became a recognized opt-out signal under the Virginia AG's guidance.

The VCDPA's sensitive data category creates nuanced engineering requirements. Precise geolocation — location within a 1,750-foot radius — requires opt-in consent before collection, a stricter standard than for other data categories. The children's data provisions interact with COPPA: controllers must treat data of known children under 13 per COPPA, while the VCDPA adds a layer for ages 13–15 in certain contexts. Pseudonymous data is excluded from consumer rights requests only if the controller can demonstrate it cannot reasonably re-identify the data subject — an engineering standard requiring documented de-identification analysis. The VCDPA's security requirement (§ 59.1-578(A)) mandates "reasonable administrative, technical, and physical data security practices," without prescribing specific controls, leaving technical implementation to risk-based judgment.

We implement VCDPA compliance through automated data inventory and classification pipelines that flag sensitive data categories at ingestion, generate DPA templates tied to processor relationships, and wire opt-out preference signals from UOOMs into downstream advertising and profiling systems within SLA. Our DPA workflow tooling documents assessment rationale and links to the relevant data flows for audit evidence.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.