Data Privacy

Helping Virginia businesses understand and comply with data privacy obligations.

Data Privacy Law for Virginia Businesses

Businesses that collect, use, store, or share the personal information of Virginia residents have legal obligations under Virginia law. As data privacy regulation continues to expand, understanding what your business is required to do, and what practices reduce legal risk, is increasingly important.

Valley Legal provides legal counsel to businesses in Christiansburg, Blacksburg, and throughout the New River Valley of Virginia on data privacy compliance and related matters.

Virginia Consumer Data Protection Act (VCDPA)

Virginia's Consumer Data Protection Act (VCDPA), effective January 1, 2023, is one of the most significant state data privacy laws in the country. It imposes obligations on businesses that process the personal data of at least 100,000 Virginia consumers per year, or 25,000 consumers per year if the business derives more than 50% of gross revenue from the sale of personal data.

Covered businesses must, among other things:

  • Provide consumers with a clear and accessible privacy notice
  • Honor consumer rights, including rights to access, correction, deletion, and portability
  • Obtain consent before processing sensitive personal data
  • Conduct and document data protection assessments for certain processing activities
  • Limit data collection to what is reasonably necessary for disclosed purposes
  • Implement reasonable data security practices
  • Limit or prohibit the sale of personal data without opt-out mechanisms

The Virginia Attorney General enforces the VCDPA. Violations can result in civil penalties of up to $7,500 per violation. Importantly, the VCDPA does not provide a private right of action; enforcement is exclusively through the Attorney General.

Other Privacy Obligations

Even businesses that do not meet the VCDPA thresholds may have privacy obligations under other applicable laws, including:

  • Federal sector-specific laws (HIPAA for health information, GLBA for financial data, COPPA for children's data)
  • Virginia's data breach notification statute (Code of Virginia § 18.2-186.6)
  • Contractual obligations in vendor, customer, or partner agreements
  • Payment Card Industry (PCI DSS) requirements for businesses that accept credit cards

How We Can Help

  • Assessing whether your business is subject to the VCDPA or other privacy laws
  • Drafting and reviewing privacy policies and notices for your website and business operations
  • Advising on data collection, use, and sharing practices to align with legal obligations
  • Drafting data processing agreements and vendor privacy addenda
  • Conducting legal review of data protection practices
  • Advising on consumer rights requests and how to respond
  • Counseling on privacy considerations in mergers, acquisitions, and new product development

General Information Only. Data privacy law is complex and evolving. This page provides general information only and does not constitute legal advice. Whether the VCDPA or other laws apply to your business depends on the specific facts of your operations. Contact our office to discuss your situation.