Virginia was the second US state (after California) to pass a comprehensive consumer privacy law. The VCDPA establishes opt-out rights for targeted advertising and data sale, plus opt-in for sensitive data. Coverage thresholds catch most national websites quickly.
Last reviewed 2026-06-19 · Risk rating rationale: The 100,000-Virginia-resident threshold is reached by most national e-commerce, SaaS, and ad-supported sites within months of going live.
Find out in 10 seconds whether your site meets Virginia's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Virginia sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Virginia laws affecting websites
The statutes most likely to apply to a commercial website serving Virginia residents. Click a citation to read the official text where available.
VCDPA
— Virginia Consumer Data Protection Act· Effective 2023
Applies to: Entities that conduct business in Virginia and either (a) control or process the personal data of 100,000+ Virginia consumers in a calendar year, or (b) derive 50%+ of gross revenue from the sale of personal data AND control or process the data of 25,000+ Virginia consumers.
What your website must do
Privacy notice that names the categories of data collected, purposes, third-party sharing, and how to exercise rights
Honour requests for access, correction, deletion, and data portability
Provide an opt-out from targeted advertising and from sale of personal data
Get opt-in consent before processing sensitive data (race, religion, sexual orientation, health, biometric, precise geolocation, immigration status, children's data)
Conduct data protection assessments for targeted ads, sale, profiling with significant effects, and sensitive data processing
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
VCDPA gives Virginia consumers rights to access, correct, delete, and port their personal data. Businesses must respond within 45 days (extendable once by 45 days) and offer a free appeal process.
Practical requirements for your website
Publish a privacy notice that lists "categories of personal data processed" and "categories of third parties with whom the controller shares personal data"
Provide at least two methods for consumers to submit rights requests (one must be a clear link in the privacy notice)
Verify consumer identity before fulfilling deletion, correction, or portability requests
Conduct and document a Data Protection Assessment before any high-risk processing (targeted ads, sale, profiling, sensitive data)
Cookies and tracking
Federal law applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
Virginia does not require cookie banners. However, cookies used to enable targeted advertising trigger VCDPA opt-out rights, so a privacy-rights link must be visible on every page.
Practical requirements for your website
Include a "Your Privacy Choices" or "Opt Out of Targeted Ads" link in the page footer that opens the opt-out mechanism
Honour the Global Privacy Control (GPC) browser signal as a valid opt-out of targeted advertising
Accessibility (ADA + state)
Federal law applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Virginia follows federal ADA Title III for website accessibility — there is no state-specific WCAG mandate.
Practical requirements for your website
Conform to WCAG 2.1 AA as the de-facto US accessibility standard
Publish an accessibility statement with a contact email for accommodation requests
Cybersecurity and breach response
Federal law applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act Section 5 governs deceptive disclosures. Virginia adds general consumer protection statutes but no website-specific disclosure mandate.
Practical requirements for your website
Material connection disclosures on every endorsement (affiliate links, sponsored posts)
Honest price, availability, and shipping representations
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Virginia anti-spam law has been largely preempted by federal CAN-SPAM. Compliance focuses on the federal standard.
Practical requirements for your website
Clear sender identification + accurate subject lines
Functional unsubscribe link that processes within 10 business days
Physical postal address in every commercial email
AI regulation
Federal law applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
Virginia has no AI-specific consumer law yet, though VCDPA's profiling provisions apply to algorithmic decisions with significant effects.
Practical requirements for your website
If profiling drives significant decisions (credit, employment, housing, insurance, healthcare, education), provide opt-out under VCDPA
Document the data protection assessment that justifies high-impact profiling
Frequently asked questions about Virginia website compliance
When does the VCDPA threshold actually apply to my site?
The 100,000-consumer threshold counts Virginia residents whose personal data your business processes in a calendar year — site visitors with VA-resolved IPs typically count. National sites with analytics installed usually cross the threshold within weeks. Once you cross, compliance is required for the rest of the calendar year AND the next year, even if traffic drops.
Is VCDPA enforced by a private right of action?
No. Enforcement is exclusively by the Virginia Attorney General. There is a 30-day cure period before AG action — meaning most violations get a notice before any penalty. Penalties cap at $7,500 per violation.
Do I need separate privacy policies for VCDPA, CCPA, and CPA?
No. A single multi-state privacy policy that clearly enumerates each state's rights and contact methods satisfies all three. Scantra checks for the presence of state-required rights enumeration on every scan.
Ready to check your own site against Virginia's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Virginia.