+44 (0) 121 582 0192 [email protected]

Overview of the VCDPA

The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive privacy law that was enacted on March 2, 2021, and will go into effect on January 1, 2023. The law provides Virginia residents with several new rights, including the right to access and delete their personal data and the right to opt out of certain data processing activities.

Which Businesses Are Covered?

The Virginia Data Privacy Law is applicable to “controllers,” or businesses, that operate within Virginia. It can also apply to businesses that are not based, incorporated, or located in Virginia if they provide products or services that target Virginia residents and if they either

(1) process or control the personal data of at least 100,000 Virginia residents in a calendar year, or

(2) process or control the personal data of at least 25,000 Virginia residents while deriving over half of their gross revenue from the sale of personal data.

Any Exemptions?

There are several entity-wide exemptions, including financial institutions that are subject to the

  • Gramm-Leach-Bliley Act,
  • entities that are regulated by HIPAA, non-profit organizations,
  • Virginia state agencies, and colleges and universities.

Data Protection Impact Assessment Obligations

Additionally, the law places new obligations on businesses that collect, process, or store personal information about Virginia residents. One of these new obligations is the requirement to complete a Data Protection Impact Assessment (DPIA).

A DPIA is a process for systematically identifying, assessing, and mitigating the risks that arise when processing personal data. DPIAs are designed to help organizations identify and address potential privacy and security risks before they occur, and to ensure that data processing activities are in compliance with applicable laws and regulations.

Under the VCDPA, businesses that process personal information about Virginia residents must conduct a DPIA if they engage in certain high-risk activities, such as processing sensitive data, using automated decision-making systems, or processing personal information for the purpose of targeted advertising. Specifically, the law requires a DPIA when a business processes personal information for the purpose of:

  • Targeted advertising,
  • Sale of personal data,
  • Profiling of personal data for decisions that produce legal or similarly significant effects, or
  • Processing sensitive data.

The VCDPA defines sensitive data as data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. The law also includes genetic and biometric data in its definition of sensitive data.

How does this affect Marketing teams?

For marketing teams, the VCDPA’s DPIA requirement will likely have the greatest impact on targeted advertising campaigns. Targeted advertising is a form of advertising that uses personal data to deliver advertisements to specific individuals or groups of individuals. This type of advertising can be particularly effective, but it also raises privacy concerns.

Under the Virginia Consumer Data Protection Act VCDPA, businesses that engage in targeted advertising must conduct a DPIA to assess the risks associated with the use of personal data for this purpose. The DPIA must identify the potential impact on individuals’ privacy and the steps the business will take to mitigate those risks. The DPIA must also be made available to the Virginia Attorney General upon request.

Marketing teams will need to work closely with their organization’s privacy and legal teams to ensure that targeted advertising campaigns are conducted in compliance with the VCDPA. This may involve conducting a DPIA, developing policies and procedures for the use of personal data in advertising, and implementing technical and organizational measures to protect personal data.


The VCDPA’s DPIA requirement will likely increase the level of scrutiny applied to marketing activities that involve the use of personal data. Marketing teams will need to be proactive in identifying potential privacy risks and implementing appropriate controls to ensure compliance with the law. By doing so, they can help their organizations build trust with customers and avoid the potential financial and reputational harm that can result from noncompliance. Business should try to eliminate any data privacy silo’s within the business to enable privacy by design.

Empower your marketing brand by engaging with the Formiti Data International Experts and ensure the new Virginia Privacy Law does not trip up your successful marketing campaigns and revenue generation.