The Virginia Consumer Data Protection Act took effect on January 1 2023, making it one of the earlier US state privacy laws. Enforcement rests with the Virginia Attorney General, and the law provides a 30-day cure period before penalties can be imposed.
How VCDPA Enforcement Works
The Virginia Attorney General has exclusive authority to enforce the VCDPA. Consumers cannot sue businesses directly for violations.
When the Attorney General identifies a potential violation, the business receives notice and has 30 days to cure the issue. If the violation is not cured, the Attorney General can pursue enforcement action.
Penalties are:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
Each affected consumer counts as a separate violation. Fines can therefore accumulate quickly. All penalties collected are paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund, which supports ongoing enforcement efforts.
Enforcement Status
As of January 2026, Virginia has not publicly announced major VCDPA enforcement actions resulting in published fines. This does not mean the Attorney General has been inactive. The 30-day cure period means many potential violations may be resolved before formal enforcement proceedings begin.
The lack of public enforcement cases is consistent with other state privacy laws that include cure periods. Businesses receiving violation notices often prefer to resolve issues quietly rather than face public enforcement action.
Enforcement Expectations
Based on the VCDPA’s structure and enforcement patterns in other states, businesses should expect attention in these areas:
Consent for sensitive data. The VCDPA requires explicit consent before processing sensitive personal data, including health information, precise geolocation, and biometric data. Processing sensitive data without proper consent is a likely enforcement focus.
Data protection assessments. Businesses engaging in targeted advertising, data sales, profiling, or sensitive data processing must conduct and document data protection assessments. Failure to complete these assessments could trigger enforcement.
Privacy notice accuracy. Privacy notices must accurately describe data collection and use practices. Discrepancies between stated practices and actual behavior create enforcement risk.
Opt-out mechanisms. Consumers have the right to opt out of data sales, targeted advertising, and certain profiling. Opt-out mechanisms that do not function properly or are difficult to use may attract scrutiny.
Children’s Privacy Focus
Virginia amended the VCDPA in 2024 to strengthen protections for children’s data. These amendments took effect on January 1 2025 for children under 13, with additional requirements for social media platforms taking effect on January 1 2026.
Businesses processing children’s data should expect heightened enforcement attention as these new provisions take effect. The amendments apply regardless of whether a business meets the standard VCDPA thresholds.
What This Means for Your Organization
The absence of public enforcement cases should not be interpreted as lax enforcement. The cure period means the Attorney General may be actively identifying and resolving violations outside of public view.
Businesses should:
- Ensure consent mechanisms exist for all sensitive data processing
- Complete required data protection assessments
- Verify that privacy notices accurately reflect actual practices
- Test opt-out mechanisms to confirm they function correctly
- Review practices involving children’s data against the new amendments
Proactive compliance is the most effective approach. By the time a business receives a violation notice, the Attorney General has already identified a problem. The 30-day cure period provides a safety net, but resolving issues under pressure is more difficult and costly than getting compliance right from the start.
