Virginia Consumer Data Protection Act

So, the latest state in the union to fill in the gaping privacy hole left by the federal government is Virginia.

Reading it through, at first, it looks as though Virginia is adopting a fairly comprehensive, and constitutionally questionable cybersecurity privacy regime. After all, there is a fairly expansive definition of “personal data,” there are risk assessments required under certain conditions, special treatment of “sensitive data” (which you should know is different from personal data, it’s a common misconception by my clients), and $7,500 per violation fines that would be courtesy of the Virginia Attorney General.


But that’s not all, the people of Virginia are given a GDPR-like bundle of rights, including the right to:

1.            Access personal data a business has about them;

2.            Correct data inaccuracies;

3.            Delete personal data a company has about them(with exceptions);

4.            Opt-out of the sale of personal data; and

5.            Opt-in to the processing of ‘sensitive data.’


But…unfortunately for the people of Virginia, this law is more of a political gesture. First off, most of the rights from the bundle have exceptions, Secondly, there is no private cause of action for Virginia residents. Finally, and most importantly, the law only applies to companies that either control or process personal data of at least 100,000 Virginia residents during a calendar year; or

control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data. So, it probably doesn’t apply to your company or any other company you are involved with. I also like how they limited the “100,000 resident” requirement to justify the processing of 100,000 residents within 1 year. Just in case the law was actually, and accidentally applicable to anyone.


I kid. Kind of. I suppose it is some protection, but what the people of Virginia need, and really what the entire country needs, is a clearly stated privacy regime that has teeth. Without teeth, it's just a gesture, and gestures don’t protect anyone.


As always, if you have any questions or concerns about this new law, please don’t hesitate to contact me at

Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Was this article helpful?