These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.

Virginia Consumer Data Protection Act

Compliance Checklist for VCDPA Requirements

Key Provisions & Questions

§ 59.1-577.1: Social Media Platform Requirements for Minors

Does your social media platform verify minors' ages with neutral mechanisms, apply daily one-hour usage limits (modifiable by parental consent), and ensure collected age information is used solely for compliance?

§ 59.1-578: Personal Data Collection and Privacy Notices

Does your organization limit personal data collection to necessary purposes, maintain appropriate security practices, honor consumer rights without discrimination, and provide clear, accessible privacy notices with required disclosures?

§ 59.1-579: Processor Contracts

Do your contracts with processors clearly outline data processing instructions, require confidentiality, govern retention and deletion, permit audits, and ensure processor assistance with security, breach notifications, and data protection assessments?

§ 59.1-580: Data Protection Assessments

Does your organization conduct and document data protection assessments for high-risk activities such as targeted advertising, sale of data, sensitive data processing, profiling, and services directed to children?

§ 59.1-581: De-identified Data

Does your organization take reasonable measures to ensure de-identified data cannot be re-associated with individuals, publicly commit to non-reidentification, and contractually bind recipients to the same obligations?

Compliance Recommendations

§ 59.1-577.1: Social Media Platform Requirements

If Yes:

Maintain your current compliance framework
Periodically test the neutrality and accuracy of your age-screening mechanisms
Ensure mechanisms avoid bias or circumvention

If No:

Implement commercially reasonable age verification
Enforce daily time limits
Provide parental consent options
Restrict use of age data strictly to compliance purposes

§ 59.1-578: Personal Data Collection

If Yes:

Maintain compliance
Conduct annual privacy policy reviews
Perform consumer comprehension testing to ensure clarity
Enhance transparency through regular updates

If No:

Adopt data minimization practices
Establish security safeguards
Obtain proper consent for sensitive data
Update privacy notices to meet statutory requirements

§ 59.1-579: Processor Contracts

If Yes:

Maintain existing contracts
Periodically review audit rights
Review subcontractor agreements
Strengthen oversight and accountability

If No:

Revise processor agreements to include confidentiality
Add data return/deletion clauses
Include audit rights
Ensure breach notification support
Ensure all processors comply with statutory duties

§ 59.1-580: Data Protection Assessments

If Yes:

Maintain current assessment practices
Integrate periodic re-evaluations
Implement board-level reporting
Enhance accountability measures

If No:

Develop a structured data protection assessment process
Address risks, benefits, and safeguards
Document results thoroughly
Ensure readiness for Attorney General requests

§ 59.1-581: De-identified Data

If Yes:

Maintain compliance
Strengthen oversight
Schedule regular audits of contractual partners
Monitor handling of de-identified or pseudonymous data

If No:

Adopt technical measures preventing re-identification
Publish a non-reidentification commitment
Amend contracts to obligate third parties
Ensure safeguards for de-identified data

Need Help with VCDPA Compliance?

Our team of privacy experts can help you navigate Virginia's Consumer Data Protection Act requirements and ensure your organization meets all compliance obligations.

Checklist to implementation

Need a fact-specific view?

Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.

Book a consultation Send structured brief