How To Exercise Virginia Consumer Data Protection Act Vcdpa

The Virginia Consumer Data Protection Act (VCDPA) grants Virginia residents the right to access, delete, and correct personal data held by companies, with a 45-day response requirement. You can request data access, demand deletion, opt out of data sales, and correct inaccurate information using formal requests. If companies refuse, escalate to the Virginia Attorney General’s office. The VCDPA applies to for-profit businesses collecting data from Virginia residents or selling their data.

What Is VCDPA and Who Does It Protect?

The VCDPA is Virginia’s response to growing concerns about how companies collect, use, and store consumer data. Unlike older consumer protection laws, the VCDPA focuses specifically on data privacy and gives individuals concrete tools to control their information.

Under this law, Virginia residents have the right to know what data companies collect about them, request deletion of that data, opt out of data sales, and correct inaccuracies. The law applies to businesses that meet certain thresholds—such as collecting data from more than 100,000 consumers or 25,000 consumers while deriving over 50% of revenue from data sales.

Your Fundamental Rights Under VCDPA

Right to Know and Access

You can request a copy of all personal data a company has collected about you. This includes any information that identifies you directly, such as your name, email address, or social security number, as well as indirect identifiers like browsing history or purchase patterns.

To exercise this right, find the company’s privacy policy and look for “data subject access request” or “consumer rights request.” Most companies provide an online form or email address for these requests. Be specific about what information you want—requesting “all personal data” is acceptable, but specifying categories can help you get faster results.

Here’s a sample request template:

Subject: VCDPA Data Access Request
To: [Company Privacy Email]
I am a Virginia resident exercising my right to know under the Virginia Consumer Data Protection Act.
Please provide a copy of all personal data you have collected about me, including:
- Categories of data collected
- Specific pieces of personal data held
- Sources of data
- Purpose for collection
- Third parties with whom data is shared
Please respond within 45 days as required by law.
[Your Name]
[Your Email]
[Your Address]
[Date]

Right to Delete

You can ask companies to delete your personal data. This right, sometimes called the “right to be forgotten,” covers data you provided directly and data the company collected from other sources. However, certain exceptions exist—companies may retain data necessary to complete transactions, comply with legal obligations, or maintain security.

When sending a deletion request, include enough information for the company to identify you in their systems. If you have an account, provide your username or email. If you made purchases, include order numbers if available. Request confirmation in writing and note the 45-day response window.

Right to Opt Out of Sales

The VCDPA gives you the right to opt out of the sale of your personal data to third parties. “Sale” is broadly defined—it includes sharing data in exchange for “valuable consideration,” which means money or other benefits the company receives.

To opt out, look for a “Do Not Sell My Personal Information” link on the company’s website. Many companies place this in their footer or privacy policy. Virginia residents can also use the global opt-out signal by enabling “Global Privacy Control” or “Do Not Track” in their browser settings, which notifies companies of your preference automatically.

Right to Correct Inaccurate Data

If you believe the data a company holds about you is incorrect, you can request correction. This is particularly important for financial data, credit information, or any data that affects decisions made about you. Provide the correct information and explain why the existing data is inaccurate.

Right to Appeal

If a company denies your request, you have the right to appeal. The company must provide information about how to appeal within 45 days. If the company still refuses after appeal, you can file a complaint with the Virginia Attorney General’s office.

Practical Steps to Protect Your Privacy

Audit Your Data Footprint

Start by making a list of companies that likely have your data. This includes online retailers, social media platforms, financial institutions, healthcare providers, and any service where you’ve created an account. Check each company’s privacy settings and exercise your rights with those holding the most sensitive information.

Use Privacy Tools

Browser extensions like Privacy Badger, uBlock Origin, and Ghostery can help you see who’s tracking you online. For email, consider using email aliases or forwarding services that let you create unique addresses for different purposes—making it easier to identify which company sold or shared your data.

Enable Global Privacy Control

Modern browsers and some operating systems support Global Privacy Control (GPC). When enabled, this signal automatically tells websites not to sell your data. Here’s how to enable it in common browsers:

Firefox: Go to Settings > Privacy & Security > Enhanced Tracking Protection and ensure Strict is selected
Safari: Enable “Prevent cross-site tracking” in Safari preferences
Chrome: Install the Global Privacy Control extension from the Chrome Web Store

Review App Permissions

Mobile apps often collect more data than necessary. Go through your phone’s app settings and revoke permissions that aren’t essential. Pay special attention to location access, contacts, microphone, and camera permissions. Many apps will still function with reduced permissions.

What Companies Must Do

Under VCDPA, covered businesses must:

Provide clear privacy notices explaining what they collect and why
Respond to consumer requests within 45 days (with a possible 15-day extension)
Not discriminate against consumers who exercise their rights
Obtain consent before collecting data from children under 13
Conduct annual data protection assessments for high-risk activities

If a company fails to comply, the Virginia Attorney General can impose fines up to $7,500 per violation. While private lawsuits are not permitted under VCDPA, the Attorney General’s office can take action on behalf of consumers.

Timeline and What to Expect

Companies must respond to your request within 45 days. They may request additional information to verify your identity, which is reasonable—companies must ensure they’re not disclosing data to the wrong person. However, they cannot use this as a way to avoid responding entirely.

If a company needs more time, they must notify you before the 45-day deadline and explain why they need an extension. The maximum extension is 15 days.

Keep records of all your requests, including confirmation emails and any responses. If a company ignores your request or provides an inadequate response, document everything before filing a complaint with the Virginia Attorney General.

Identifying Which Companies Must Comply with VCDPA

VCDPA applies to “businesses” that:

Collect personal data from Virginia residents AND
Do business in Virginia AND
Meet one of these thresholds:
Process data of 100,000+ Virginia residents/households annually
Derive 50%+ of annual revenue from selling personal data of 25,000+ residents/households

Companies that typically must comply:

Social media platforms (Meta, Twitter, TikTok, Instagram)
Large retailers (Amazon, Walmart, Target)
Tech companies (Google, Microsoft, Apple)
Data brokers and people search companies
Ad networks and analytics platforms
Financial services (banks, credit card companies)
Insurance companies
Healthcare providers and medical billing companies
E-commerce platforms

Companies that might be exempt:

Small local businesses not meeting thresholds
Nonprofits
Government agencies (sometimes)
Entities already covered by other privacy laws (HIPAA for healthcare, GLBA for financial institutions)

Step-by-Step Request Process

Step 1: Locate the company’s privacy portal Most large companies have privacy centers on their websites:

Look for “Privacy”, “Your Privacy Choices”, or “California/Virginia Privacy”
Search the company’s domain for “data subject request”
Check the footer of their website for privacy links
Email their privacy@company.com address

Step 2: Gather your identifying information Before submitting, have ready:

Your full legal name
Any aliases you use with the company
Email addresses you’ve used
Phone number if applicable
Account username/ID if you have one
Order numbers or purchase history if relevant
Any other identifier specific to their records

Step 3: Submit your request Most companies provide online forms. If not, send an email. Keep this information clear:

State you’re a Virginia resident
Specify which right you’re exercising (access, delete, correct, opt out)
Include sufficient identifying information
Request a specific response timeline (e.g., “within 30 days, well before your legal 45-day deadline”)
Include your signature and date
Keep a copy for your records

Step 4: Document everything Create a spreadsheet tracking:

Company name
Request date
Request type (access/delete/correct/opt out)
Contact method
Expected response deadline
Actual response date
Response quality (complete/incomplete/refused)
Follow-up needed (yes/no)

Common Company Responses and How to Handle Them

Response Type 1: Identity Verification Request This is legitimate and required. The company must verify you’re actually making the request. Provide what they ask (driver’s license, utility bill, etc.) but don’t provide more than necessary.

Response Type 2: Partial Response Company provides some data but claims other data falls under exemptions. Request detailed explanations for what was withheld. You can follow up if explanations seem insufficient.

Response Type 3: “We don’t have your data” Possible if you truly never used their services, but many companies track you without your interaction (ad networks, data brokers). If suspicious, request confirmation in writing.

Response Type 4: Delayed Response If they miss the 45-day deadline (with documented extensions), this is a violation. Document and escalate to Virginia Attorney General if necessary.

Specific Company Examples

Amazon:

Go to amazon.com > Account > Login & security > Manage your content and devices
Request your complete data, or
Email compliance@amazon.com with your request

Google:

Visit takeout.google.com to access your data
Use this to request deletion, or
Submit formal VCDPA request at google.com/account/about/privacy

Meta (Facebook/Instagram):

Go to Settings > Your Information > Download your information
For deletion or opt-out, use meta.com/privacy

TikTok:

Settings > Your account > Download your data
Or submit formal request at tiktok.com/privacy

Financial Institutions (banks, credit card companies):

Usually have dedicated privacy request processes
May require you to submit requests in person with ID
Keep documentation of all submissions

Handling Company Refusals

If a company refuses your request and the refusal seems unjustified:

Request specific justification: Ask them to cite the exact VCDPA provision allowing their refusal
Request appeal process: All companies must provide appeal information
File an appeal: Use their appeal process with additional documentation
Document everything: Keep copies of all correspondence
File complaint with Virginia AG: Virginia Attorney General’s office can investigate

Filing a complaint:

Contact Virginia Attorney General at ag.virginia.gov
Include copies of your requests and company responses
Explain why you believe the company violated VCDPA
Include dates and identifying information
The AG’s office will investigate on your behalf

Timing Strategy for Multiple Requests

Don’t submit all requests simultaneously if you want to track responses carefully:

Month 1-2: High-priority companies

Social media where you’re active
Retailers where you’ve made purchases
Email providers
Cloud storage services

Month 3-4: Secondary companies

Subscription services
Streaming platforms
Financial services (if not already done)

Month 5+: coverage

Data brokers
Ad networks (harder to identify)
Background check companies

This staggered approach allows you to properly handle responses and appeals without being overwhelmed.

Special Considerations

Children’s Data: VCDPA has strict rules about children under 13. If you’re a parent:

Companies must get explicit consent before collecting from children under 13
You can request deletion of children’s data
You can request the company stop collecting on your child

Employee Data: Employee data is partially exempted from VCDPA. While you can request access to monitoring data (see employer article), companies have some exemptions for employment-related processing.

Business Relationships: If you run a Virginia business, remember VCDPA might apply to you if you collect customer data. Ensure your business has:

Privacy notices on your website
Processes to handle customer requests
Data protection assessments for sensitive processing

VCDPA vs. Other Privacy Laws

Virginia residents might also have rights under:

CCPA (California): Applies to some Virginia residents who conducted transactions in California COPPA (Children’s Online Privacy): Applies if children under 13 use your services GLBA (Gramm-Leach-Bliley): Applies to financial institutions HIPAA (Health Insurance Portability): Applies to healthcare providers

Multiple laws may apply to the same company, giving you additional rights.

Long-Term Privacy Strategy

Using VCDPA effectively:

Audit data held about you (start with 5-10 major companies)
Request deletion of unnecessary data
Opt out of data sales where possible
Enable Global Privacy Control signals
Use email aliases to limit data collection going forward
Review privacy settings on accounts regularly
Repeat annual audits to maintain control

Built by theluckystrike — More at zovo.one