Virginia's CDPA Requires Data Protection Assessments — Here's What That Actually Means

If your business collects personal data from Virginia residents and uses it to show them targeted ads, personalize their experience, or make predictions about their behavior or preferences, there's a Virginia law that requires you to document what you're doing and why.

It's called the Virginia Consumer Data Protection Act — the VCDPA — and it's been in effect since January 1, 2023. It was one of the first comprehensive state privacy laws in the country, and it includes a specific requirement that a lot of businesses haven't caught up with yet: data protection assessments.

A data protection assessment is a written document where you evaluate a specific way you're using consumer data. You identify the benefits of what you're doing, the risks to the people whose data you're using, and whether the safeguards you have in place are enough to justify the processing. It's the state's way of making sure businesses think carefully before they use personal data in ways that could affect people's lives.

If you haven't done one yet, you're not alone — and the good news is that the law is structured in a way that makes it possible to get caught up. Let's walk through what the VCDPA actually requires, who it applies to, and what a data protection assessment involves.

Who the VCDPA Applies To

The law applies to businesses that conduct business in Virginia or produce products and services targeted to Virginia residents, and that meet one of two thresholds during a calendar year: you either control or process the personal data of at least 100,000 Virginia consumers, or you control or process the data of at least 25,000 Virginia consumers and derive more than 50 percent of your gross revenue from selling personal data. (§§ 59.1-575 through 59.1-585)

A few things to note about those thresholds. First, "consumers" under the VCDPA means Virginia residents acting in a personal or household capacity — not in a business or employment context. So your B2B client data and employee data don't count toward the threshold. Second, 100,000 might sound like a lot, but if your website gets meaningful traffic from Virginia, or if you have a customer email list or marketing database with Virginia addresses, you might be closer than you think. Website visitors, app users, and people in your CRM can all count.

There are some exemptions. Nonprofits, institutions of higher education, state agencies, entities already covered by HIPAA, and financial institutions subject to the Gramm-Leach-Bliley Act are all excluded. (§§ 59.1-575 through 59.1-585)

If you're not sure whether your business hits the threshold, it's worth checking. The answer will tell you whether the rest of this article applies to you.

What "Profiling" Means Under This Law

The VCDPA defines profiling as any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to a person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (§§ 59.1-575 through 59.1-585)

That definition is broad for a reason. It's designed to cover the wide range of ways businesses already use data about people. A few examples of what would count as profiling under this law:

• A recommendation engine that suggests products based on a customer's past browsing or purchase behavior.
• A marketing platform that segments your email list based on predicted interests or engagement likelihood.
• A credit or lending tool that evaluates a consumer's financial risk.
• A hiring platform that scores applicants based on predicted performance.
• A tool that adjusts pricing or offers based on a consumer's location or browsing history.

If something in your business takes personal data as input and produces an evaluation, prediction, or analysis about a person as output, that's profiling under the VCDPA.

When Data Protection Assessments Are Required

Under § 59.1-580 of the VCDPA, a controller must conduct and document a data protection assessment for each of these processing activities: processing personal data for targeted advertising, selling personal data, processing personal data for profiling where that profiling presents a reasonably foreseeable risk of harm to consumers, processing sensitive data, and any processing activities involving personal data that present a heightened risk of harm to consumers.

The "reasonably foreseeable risk" language for profiling includes four specific categories of harm: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial, physical, or reputational injury; intrusion upon privacy or seclusion that would be offensive to a reasonable person; or other substantial injury to consumers. (§ 59.1-580)

In practical terms, if you're using consumer data to make decisions that could affect someone's access to financial services, housing, insurance, employment, education, health care, or basic necessities — those are the kinds of decisions the VCDPA explicitly defines as producing "legal or similarly significant effects." (§§ 59.1-575 through 59.1-585) Those activities clearly trigger the assessment requirement.

But the requirement isn't limited to those high-stakes decisions. Any profiling that presents a foreseeable risk of harm — even something like behavioral targeting that could be used in discriminatory ways — is covered.

What a Data Protection Assessment Actually Contains

The statute is specific about what the assessment needs to evaluate. Under § 59.1-580(C), a data protection assessment must identify and weigh the benefits that flow from the processing — to the controller, to the consumer, to other stakeholders, and to the public — against the potential risks to the rights of the consumer, as mitigated by the safeguards the controller has in place.

The assessment should also factor in: whether de-identified data could be used instead, what a reasonable consumer would expect, the context of the processing, and the relationship between the controller and the consumer whose data is being processed.

In less technical language, here's what the law is asking you to do. For each way you use personal data that falls into one of the categories above, sit down and answer these questions: What are we doing with this data? Who benefits, and how? What are the risks to the people whose data we're using? What are we doing to reduce those risks? And given all of that, does the benefit justify the processing?

That's the assessment. It's a structured way of thinking through a decision you've probably been making informally already — but writing it down so there's a record that you took the process seriously.

A Few Things That Make the VCDPA Assessment Requirement More Manageable

There are some provisions in the law that are worth knowing about because they make compliance more practical.

You can group similar processing activities into a single assessment. If you have several processing operations that involve similar types of data and similar risks, you don't have to write a separate assessment for each one. The statute says a single assessment may address "a comparable set of processing operations that include similar activities." (§ 59.1-580)

If you've already done assessments for other laws, those might count. The VCDPA says that data protection assessments conducted for compliance with other laws or regulations can satisfy this requirement if they have "a reasonably comparable scope and effect." (§ 59.1-580) So if you've already done assessments under Colorado's privacy law, or Connecticut's, or the EU's GDPR, you may not need to start from scratch.

The requirement isn't retroactive. It applies to processing activities created or generated after January 1, 2023. If you were already doing something before that date, you don't need to go back and write an assessment for it — though you'd need one for any changes or new activities since then. (§ 59.1-580)

And your assessments are confidential. If the Attorney General requests one through a civil investigative demand, the disclosure doesn't waive attorney-client privilege or work product protection. They're also exempt from Virginia's Freedom of Information Act. (§ 59.1-580)

The Attorney General Enforces This — And There's a Cure Period

Enforcement of the VCDPA is handled exclusively by the Virginia Attorney General. There's no private right of action, which means individual consumers can't sue you directly under this law. (§ 59.1-584)

Before taking enforcement action, the Attorney General must give you 30 days' written notice identifying the specific provisions you've allegedly violated. If you cure the violation within that 30-day period and provide a written statement confirming the fix, no action will be taken. (§ 59.1-584)

If the violation isn't cured, or if you breach the written statement, the Attorney General can seek an injunction and civil penalties of up to $7,500 per violation, plus attorney's fees and investigation costs. (§ 59.1-584)

The 30-day cure period is an important feature. It means the enforcement model is designed to give businesses a chance to fix problems before facing penalties. It's not a "gotcha" system. But it does mean that if the AG comes asking for your data protection assessments and you don't have any, the clock starts ticking immediately on getting them done.

Why This Requirement Exists

The idea behind data protection assessments is actually pretty intuitive. Businesses are collecting more personal data than ever before, and they're using it in increasingly sophisticated ways — to target, predict, personalize, and make decisions about people. Most of that processing happens invisibly. The person affected usually has no idea it's happening.

A data protection assessment is the law's way of saying: before you do that, think about it. Think about whether the person would expect it. Think about whether it could hurt them. Think about whether there's a less invasive way to accomplish the same thing. And then write that thinking down.

It's not asking businesses to stop using data. It's asking them to be thoughtful about it. The assessment requirement exists because experience has shown that when companies are required to evaluate the impact of their data processing, they make better decisions — they catch risks they would have missed, they build better safeguards, and they earn more trust from the people whose data they're handling.

Virginia was one of the first states to put this requirement into law. Since then, Connecticut, Colorado, Oregon, Delaware, Texas, and others have followed with similar requirements. And California's newly finalized ADMT regulations include their own version of risk assessments. The VCDPA's framework is becoming the baseline for how states expect businesses to handle personal data — not just in Virginia, but across the country. If you operate in multiple states, our multi-state profiling assessment package covers the overlapping requirements across the major state privacy laws in a single document set.

What to Do if You Haven't Started

If your business falls within the VCDPA's scope and you haven't conducted data protection assessments yet, here's where to start.

Figure out what data you're processing. Make a list of the personal data you collect from Virginia consumers and what you do with it. You're looking specifically for targeted advertising, data sales, profiling, sensitive data processing, and any other high-risk processing. Our data mapping and inventory template provides a structured format for this step that works across state privacy law requirements.

For each activity you identify, write an assessment. The assessment should describe the processing activity, identify the benefits, identify the risks to consumers, describe the safeguards you have in place, and weigh the two against each other. It doesn't have to be hundreds of pages — it has to be thoughtful and honest. Our Virginia CDPA compliance package includes a data protection assessment template built around the statute's specific criteria at § 59.1-580.

Check whether assessments you've done for other laws can apply. If you've done assessments under Colorado, Connecticut, or GDPR requirements, review the VCDPA's criteria and see if they're comparable in scope. You may be able to adapt existing work rather than starting fresh.

Keep your assessments updated. They should reflect your current processing activities. If you add a new tool, change how you use data, or start processing a new category of data, update the relevant assessment.

Store them securely and know where they are. If the Attorney General ever requests them, you'll need to produce them. Having them organized and accessible is part of being prepared.

The VCDPA has been in effect for over three years. The data protection assessment requirement has been part of it since the beginning. If you're just learning about this now, that's okay — a lot of businesses are in the same position, especially if they're only recently hitting the consumer data thresholds as their business grows. The best time to start was 2023. The next best time is today.

Sources — Every fact in this article was verified against the enacted statute text at these .gov URLs:

• Virginia Consumer Data Protection Act — Full Chapter Text (§§ 59.1-575 through 59.1-585) — Scope, definitions, exemptions, consumer rights, controller responsibilities
• § 59.1-580 — Data Protection Assessments — Triggering activities, assessment requirements, cross-compliance, confidentiality
• § 59.1-584 — Enforcement; Civil Penalty; Expenses — AG exclusive enforcement, 30-day cure period, up to $7,500 per violation