The roller coaster of comprehensive state data privacy laws continues in earnest.  California has now double dipped: first with the California Consumer Privacy Act (CCPA) and second with the California Privacy Rights Act (CPRA).  With all eyes on New York, Washington State, and other potential early movers for more state legislation, Virginia has surprised the nation by coming out very quickly with its own version of comprehensive privacy law, which Governor Ralph Northam signed into law on March 2nd, 2021 and becomes effective January 1, 2023. As a sign of perhaps developments to come, Virginia didn’t go for a half-baked privacy law, it went full steam into a comprehensive set of privacy rights for consumers and obligations for companies, borrowing many of its terms and concepts from the EU General Data Protection Regulation (EU GDPR). For many US companies hoping that comprehensive data privacy law would stay confined to California, this is a clear signal that we need to be ready for more.


The VCDPA applies to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” The VCDPA defines “Consumer” to mean a natural person who is a resident of Virginia, but does not include a natural person acting in a commercial or employment context.

The VCDPA contains many exemptions for data already subject to other laws and regulations, including those organizations covered by the Health Insurance Portability and Accountability Act (HIPAA), non-profits, universities, and organizations subject to the Gramm-Leach-Bliley Act (GLBA). The VCDPA also exempts categories of data, such as protected health information under HIPAA, information regulated by the Family Educational Rights and Privacy Act, employment-related data, and information used in a consumer report to the extent that it is regulated by the federal Fair Credit Reporting Act.

Similarities with CCPA/CPRA/EU GDPR

The VCDPA contains aspects of the CCPA, CPRA, and EU GPDR. VCDPA borrows many defined terms from the EU GDPR, including “controller,” “processor,” and “personal data.” Similar to the CPRA and EU GDPR, the VCDPA proposes a distinct class of “sensitive data.” Like the CCPA, CPRA, and EU GDPR, the VCDPA provides Virginia consumers specific rights with respect to personal data.

Data Rights

The VCDPA affords Consumer the right to: (i) access and disclosure; (ii) correction; (iii) deletion; (iv) portability; and (v) opt-out of targeted advertising, sales of personal data or profiling. A controller is required to respond to Consumers within 45 days of receipt of the request submitted. When reasonably necessary, this timeframe can be extended for an additional 45 additional days if the controller informs the Consumer, within the initial 45-day response period, of the reason for the extension.

Contractual Obligations

The VCDPA requires controllers and processors to enter into a contractual agreement governing the processing of personal data. Akin to Art. 28 EU GDPR requirements, the agreements must provide clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The agreements must also impose requirements on the processor, such as deleting all personal data after the term of the agreement, and making available to the controller information necessary to demonstrate the processor’s compliance with VCDPA obligations.

Data Governance and Protection

The VCDPA also imposes restrictions and limitations on controllers, in addition to affirmative obligations. Like the EU GDPR and CPRA, controllers are required to limit the collection of personal data to “what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.” The VCDPA prohibits processing sensitive data without consent. Sensitive data is defined to include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data; and childrens’ personal data.

Among other affirmative obligations, controllers ware required to implement “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”


Unlike the CPRA and EU GDPR, enforcement authority over this bill would not be housed under a specific data privacy authority or provide any basis for a private right of action. The Virginia Attorney General’s office would enforce the VCDPA. The Attorney General would be required to provide a 30 days’ notice and cure period. If the violation remains uncured, the Attorney General could seek up to $7,500 per violation. 


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.


Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.


Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.


Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.


Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.


Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.