Virginia Consumer Data Protection Act (VCDPA)
A practical compliance guide for website owners. Learn what Virginia's privacy law requires and how to implement it on your site.
Who Must Comply
Conducts business in Virginia or targets Virginia residents AND controls/processes personal data of 100K+ consumers, OR controls/processes data of 25K+ consumers and derives 50%+ revenue from selling personal data
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Recommended |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The VCDPA requires the following links or notices to be visible on your website:
- 1Do Not Sell My Personal Data
- 2Privacy Policy
Enforcement & Penalties
Key Things to Know
Virginia was the second US state to enact comprehensive privacy legislation. The VCDPA follows an opt-out model for targeted advertising and sale of personal data, with opt-in required for sensitive data processing.
Key difference from CCPA: Virginia does not require honoring GPC signals (though it is recommended). The law also does not include a private right of action — only the Attorney General can enforce.
How to Configure LegalBanner for VCDPA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Virginia's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a VCDPA-compliant privacy policy.
Set up VCDPA compliance in 5 minutes
LegalBanner handles Virginia privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
Does the VCDPA require a cookie consent banner?
The VCDPA does not explicitly require a cookie consent banner. However, you must provide a clear mechanism for consumers to opt out of targeted advertising and sale of personal data. A cookie preference center is the most practical implementation.
Do I need a Do Not Sell link for Virginia?
Yes. If you sell personal data or use it for targeted advertising, you must provide a clear opt-out mechanism. A 'Do Not Sell My Personal Data' link in your footer or privacy policy is recommended.
Does Virginia require honoring GPC signals?
Unlike California, Virginia does not legally require honoring GPC signals. However, implementing GPC support is considered best practice and demonstrates good-faith compliance.
What are the penalties for VCDPA violations?
The Virginia Attorney General can seek up to $7,500 per violation. There is no private right of action — consumers cannot sue directly. The AG must provide a 30-day cure period before taking action.
Does the VCDPA apply to nonprofits?
No. The VCDPA explicitly exempts nonprofits, higher education institutions, and entities covered by HIPAA or Gramm-Leach-Bliley Act.