Virginia’s Privacy Push: Balancing Rights, Risk, and Responsibility

Over the last five years, Virginia has quietly positioned itself as one of the more thoughtful states in the national privacy conversation. At the center of this effort is the Virginia Consumer Data Protection Act (VCDPA), which took effect in 2023. It is not just a clone of California’s CCPA; it stands on its own as a nuanced, risk-based framework. The VCDPA gives Virginians rights to access, correct, delete, and obtain copies of their personal data, and to opt out of profiling and targeted advertising. It applies to companies that control or process data on at least 100,000 Virginia residents, or just 25,000 if they make over half their revenue from selling that data. That “residents” standard matters: you do not have to be a customer to count, just a Virginian whose data is in the system. But if you are outside the Commonwealth, these rights do not follow you. Businesses covered by HIPAA are exempt, so healthcare remains under its own federal regime. For those engaged in targeted advertising or profiling, data protection assessments are required. These are internal reviews that evaluate whether the benefits of processing outweigh the risks to consumers. The VCDPA also borrows from the GDPR’s model by distinguishing between controllers and processors, providing structure that is familiar to global organizations. See Va. Code Ann. §§ 59.1-575 to -585 (2023) (Virginia Consumer Data Protection Act).

Zooming in on another corner of everyday life, Virginia’s Telephone Privacy Protection Act recently received an update that reflects how central text messaging has become in modern commerce. Effective in 2026, the amended law requires all promotional text messages to include a clear opt-out mechanism such as replying “STOP” or “UNSUBSCRIBE.” Once a consumer opts out, the sender is barred from contacting them again for at least ten years. That is not a typo. Ten years. From the perspective of individuals, this shift enhances control over how and when businesses can access their mobile space. For businesses, the operational implications are real. Marketing systems must now reliably track and suppress opted-out numbers for a full decade. This is more than a legal formality; it will require technical upgrades, vendor oversight, and risk mitigation. The burden may fall disproportionately on small businesses that rely on off-the-shelf messaging tools without this level of customization. See Va. Code Ann. § 59.1-514 (2026) (Telephone Privacy Protection Act, as amended by S.B. 1339, 2025 Gen. Assemb., Reg. Sess. (Va. 2025)).

Virginia also turned its attention to sector-specific data security with the passage of the Virginia Insurance Data Security Act, which took effect in 2020. This law targets insurance companies and agents, requiring them to develop written information security programs, assess risk, and investigate cybersecurity events. It also mandates prompt notification to both regulators and consumers when a breach involves nonpublic information. Unlike the VCDPA, this law is not about consumer access or rights. It is about security posture and breach response. From an individual standpoint, it provides reassurance that financial and health-related data is being actively protected. For insurance companies, the law requires more than just IT policies. They must also oversee third-party vendors and ensure those vendors meet similar security standards. This creates a compliance environment that is both layered and continuous, especially given the evolving threat landscape. See Va. Code Ann. §§ 38.2-621 to -629 (2020) (Virginia Insurance Data Security Act).

If there is a thread connecting these statutes, it is the shifting definition of privacy itself, from secrecy to autonomy. The VCDPA, in particular, reframes privacy as a right to participate in how your data is used. Businesses must not only respond to consumer requests, but also structure their systems to accommodate them without retaliation or friction. The required data protection assessments are intended to force reflection, asking whether the data practices serve only the business or also respect the rights of individuals. Enforcement remains centralized with the Attorney General, which makes compliance more predictable for businesses, though it also means that individuals do not have a private right of action. This compromise reflects Virginia’s measured, business-conscious approach. See Va. Code Ann. §§ 59.1-578 to -581 (2023) (Virginia Consumer Data Protection Act provisions on individual rights and controller obligations).

Looking ahead, Virginia is taking early steps to regulate artificial intelligence and synthetic media through proposed bills such as HB 2121, the Digital Content Authenticity and Transparency Act, and HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act. HB 2121 would require AI-generated content to carry embedded metadata for authenticity and provenance. HB 2094 targets high-risk AI systems used in decisions about employment, housing, credit, and other sensitive areas, and would require risk assessments, public disclosures, and accountability frameworks. These proposals represent a future-facing privacy strategy. For individuals, the benefits lie in transparency and the ability to detect when AI is shaping their experiences or opportunities. For businesses, these bills signal an impending shift toward AI governance as a core compliance domain. If enacted, these laws could place Virginia at the leading edge of responsible AI regulation. See H.B. 2121, 2025 Gen. Assemb., Reg. Sess. (Va.) (Digital Content Authenticity and Transparency Act); H.B. 2094, 2025 Gen. Assemb., Reg. Sess. (Va.) (High-Risk Artificial Intelligence Developer and Deployer Act).

Operational Takeaways for Virginia Businesses

(From a business operations perspective, not legal advice)

• Audit Your Data Flows – Map where personal and sensitive data enters, is stored, and leaves your systems, noting which laws apply.

• Upgrade Communication Systems – Ensure marketing platforms can track and honor opt-outs for at least 10 years.

• Enhance Vendor Oversight – Include privacy, security, and AI usage obligations in vendor contracts, and review them annually.

• Prepare for AI Governance – Document AI tools in use, define risk categories, and establish internal review protocols now.