Virginia Consumer Data Protection Act (VCDPA) — Automated Decision-Making: AI Compliance Requirements
Virginia's Consumer Data Protection Act (Va. Code § 59.1-571 et seq.), effective January 1, 2023, includes automated decision-making opt-out rights and data protection impact assessment requirements. Consumers have the right to opt out of processing for profiling in furtherance of decisions that produce legal or similarly significant effects — including employment decisions, credit decisions, and housing decisions. Controllers must conduct and document Data Protection Impact Assessments (DPIAs) before processing for automated decision-making. Threshold: applies to businesses that process data of 100,000+ Virginia consumers annually, or 25,000+ consumers and derive 50%+ revenue from data processing. Enforcement by Virginia AG — no private right of action. Civil penalties up to $7,500 per intentional violation.
Key Facts
January 1, 2023
$7,500 per intentional violation (Virginia AG enforcement); no private right of action
What Your Business Must Do
3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.
Automated Decision-Making Opt-Out
High PriorityUnder VCDPA § 59.1-576(A)(5), provide Virginia consumers with the right to opt out of processing for profiling in furtherance of automated decisions that produce legal or similarly significant effects (employment, credit, housing, education). Publish a clear opt-out mechanism in your privacy notice.
Data Protection Impact Assessment (DPIA)
High PriorityVCDPA § 59.1-578 requires controllers to conduct DPIAs before processing for automated decision-making with significant effect on consumers. Document purpose, necessity, benefits, and safeguards. Retain DPIAs and provide them to Virginia AG on request.
Privacy Notice — Automated Processing Disclosure
Medium PriorityUpdate your privacy notice to disclose (1) categories of data processed for automated decision-making, (2) consumer opt-out rights, (3) any profiling activities, and (4) third parties to whom data is disclosed for automated processing purposes.
Frequently Asked Questions
Does Virginia Consumer Data Protection Act (VCDPA) — Automated Decision-Making apply to my business?
Virginia's Consumer Data Protection Act (Va. Code § 59.1-571 et seq.), effective January 1, 2023, includes automated decision-making opt-out rights and data protection impact assessment requirements. Consumers have the right to opt out of processing . Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.
What is the penalty for non-compliance?
The maximum penalty under Virginia Consumer Data Protection Act (VCDPA) — Automated Decision-Making is: $7,500 per intentional violation (Virginia AG enforcement); no private right of action. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.
How do I comply with Virginia Consumer Data Protection Act (VCDPA) — Automated Decision-Making?
The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.
Official Source
https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/Last updated: 2026-04-13 — verify at source before relying on this information.
Don't leave compliance to chance
ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.
Start your free compliance scan