What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·VCDPA

Virginia (VCDPA) Privacy Law Compliance

Virginia became the second US state with a comprehensive privacy law (effective Jan 1, 2023), modelled more closely on GDPR than CCPA — opt-in for sensitive data, mandatory data protection assessments, and a controller/processor structure. The Virginia AG has exclusive enforcement (no private right of action) but penalties go up to $7,500 per violation, and 30-day cure periods are no longer guaranteed for repeat violations.

Statute

Virginia Consumer Data Protection Act

Va. Code §59.1-575 et seq.

Effective

Jan 1, 2023

Enforcer

Virginia Attorney General

(exclusive enforcement, no private right of action)

Consumer rights

8 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Virginia OR target products/services to Virginia residents
AND one of: (a) process personal data of 100,000+ Virginia consumers in a calendar year; OR (b) process personal data of 25,000+ consumers AND derive over 50% of gross revenue from the sale of personal data
Threshold counts only Virginia consumers acting in an individual/household capacity (NOT employees, NOT B2B contacts)

Exemptions

Virginia government entities, financial institutions subject to GLBA, HIPAA-covered entities + business associates (for PHI)
Employment + B2B data is fully exempt (different from California)
Non-profit organisations are exempt
Personal data processed for FCRA, FERPA, DPPA in the context of those laws

Consumer rights (8)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Business obligations (8)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Opt-in for sensitive data

Affirmative consent BEFORE processing sensitive data (race, religion, health, sexual orientation, citizenship, biometric, geolocation, children's data)

Required privacy notice elements

Categories of personal data processed
Purpose of processing
Categories of personal data shared with third parties
Categories of third parties with whom data is shared
Consumer rights enumerated with submission method
Process to appeal a refused rights request
Whether the controller sells personal data or processes it for targeted advertising — with opt-out instructions
Active email address or online mechanism for rights requests

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Penalties

Civil penalty per violation

Up to $7,500

Va. Code §59.1-584

30-day cure period

Discretionary (was mandatory pre-July 2025)

AG no longer required to offer cure

Attorney's fees + costs

Recoverable by AG

§59.1-584(C)

Common compliance pitfalls

⚠ Missing opt-in flow for sensitive data

Virginia (like Colorado, Connecticut) requires AFFIRMATIVE consent before processing sensitive data. Defaulting to opt-out fails. Sensitive includes precise geolocation, biometric data, health, race, religion, citizenship, children.

⚠ No appeal mechanism for rights refusals

Va. Code §59.1-577(C) requires a 'conspicuous and readily accessible' process for consumers to appeal — most CCPA-only policies don't have one.

⚠ Counting B2B / employee data toward thresholds

Virginia excludes employment + B2B data entirely. Many companies incorrectly assume they cross the 100K threshold by counting employees or business contacts.

⚠ Missing data protection assessments

DPAs are mandatory before targeted advertising, sale of PI, sensitive data processing, or processing presenting heightened risk. Must be documented + AG-accessible on request.

FAQ

Does VCDPA have a private right of action?

No. Enforcement is exclusive to the Virginia Attorney General. Consumers cannot directly sue under VCDPA (unlike CCPA which allows private suits for data breaches).

How does VCDPA differ from CCPA?

VCDPA is more GDPR-like: opt-in for sensitive data (CCPA is opt-out 'right to limit'), mandatory DPAs, no private right of action, full exemption for B2B + employee data, no 'right to limit SPI' (instead requires affirmative consent upfront). Both require similar privacy notices + rights.

Is the 30-day cure period still mandatory?

No. As of July 1, 2025, the AG's right-to-cure obligation sunset. Cure may still be offered at AG discretion, especially for first-time or technical violations.

Grade your Virginia privacy policy in 20 seconds

Paste your privacy policy and we'll score it against VCDPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Virginia