Virginia Consumer Data Protection Act (VCDPA, Profiling Provisions)
Effective date
Penalty
Up to $7,500 per violation. AG exclusive enforcement with mandatory 30-day written notice and cure opportunity before any action. No private right of action.
Cure period
30 days
Obligations mapped
12 obligations
Overview
Grants Virginia consumers the right to opt out of profiling in furtherance of decisions that produce legal or significant effects. The VCDPA excludes employee and HR data and B2B data from scope; profiling opt-out applies to consumer data only. Permanent 30-day cure period with no sunset: unlike most states, Virginia does not phase out the cure opportunity. Virginia does not require universal opt-out mechanisms (UOOMs). Virginia does not grant the Attorney General rulemaking authority. In March 2025, Governor Youngkin vetoed HB 2094, a comprehensive AI act that would have materially expanded the privacy and AI framework. Virginia is the most business-friendly state privacy law among comparable statutes: permanent cure, no UOOMs, no AG rulemaking, and a high revenue threshold (50% for the 25,000-consumer applicability tier).
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Virginia
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
HB 2094
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
Specific AI use cases:
- Customer profiling and segmentation
What this requires you to do
12 obligations identified from statutory analysis.
59.1-580(A)(3), 59.1-580(C)
59.1-580(D)
59.1-578(A)(4)
59.1-577(C)
59.1-578(E)
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $7,500 per violation. AG exclusive enforcement with mandatory 30-day written notice and cure opportunity before any action. No private right of action.
Cure period: 30 days.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
struck down
HB 2094 (comprehensive AI act) vetoed by Governor
amended
Amendments clarify data protection assessment provisions (cc. 840, 844)
effective
Takes effect
Related regulations
Virginia AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.