Customers have the right to view their data and ask corporations to erase their personal information under the VCDPA. Additionally, it mandates that businesses carry out data protection audits when processing personal data for individualized marketing and sales efforts.

Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process

 (i) the personal data of at least 100,000 consumers in a calendar year, or

 (ii) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

Several possible areas where the VCDPA needs explanation:

1. Applicability :

People who "do business" in the Commonwealth or provide goods or services "targeted" at Virginians are subject to the VCDPA. However, the term "targeted" is not defined in the Act.

2. Right to Delete:

Although the VCDPA does not provide any particular limitations to the right to delete, it does allow consumers to seek the erasure of their personal data.


3. Access and Data Portability:

A copy of the consumer's personal data must be provided "in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance," according to the VCDPA, which grants consumers the right to obtain a copy of their personal data. The phrase "when the processing is carried out by automated methods" is also part of that regulation. According to experts, it's unclear exactly what "automated means" alters.

4. Targeted Advertising:

The VCDPA excludes data that might be linked to a consumer's device and defines "personal data" as any information that is "related or reasonably linkable to an identified or identifiable natural person."

5. Children’s Data:

The federal Children's Online Privacy Protection Act must be followed by the controller if a customer is a kid, according to the VCDPA, which covers both online and offline data gathering techniques (COPPA). However, COPPA only applies to online data collection of personal information from children. Does that absolve controllers of responsibility if they gather personal information about minors offline?