RatedWithAI

RatedWithAI

Accessibility scanner

AI PrivacyJuly 4, 2026

Virginia VCDPA AI Profiling Opt-Out Requirements 2026

Most AI privacy content fixates on California. But Virginia's Consumer Data Protection Act was the second comprehensive state privacy law in the country, and its profiling opt-out right applies squarely to AI-driven lending, hiring, insurance, and pricing decisions — with its own scope, assessment duties, and exemptions that don't mirror CCPA.

100K
Virginia consumers processed triggers VCDPA coverage
Opt-Out
Right applies to profiling with legal or similarly significant effects
AG-Only
Enforced solely by the Virginia Attorney General, no private suits

Why Virginia Matters Beyond California

Every AI compliance conversation defaults to CCPA and the EU AI Act, but Virginia's VCDPA was the second comprehensive U.S. state privacy law, and its profiling opt-out right predates most of the ADMT-style regulations getting attention today. If your AI system touches consumers in Virginia — not just California — you have a separate statute with its own coverage tests to satisfy, and it doesn't automatically fall out of a CCPA-focused compliance program.

The core right: Virginia consumers can opt out of profiling used to further decisions that produce legal or similarly significant effects — credit and lending, housing, employment, education, healthcare services, insurance, and access to essential goods and services. If your AI scores, ranks, or screens people for any of those outcomes, VCDPA's opt-out applies.

Who Has to Comply

  • 100,000+ Virginia consumers — controllers that process the personal data of at least 100,000 Virginia residents in a calendar year are covered outright.
  • 25,000+ consumers plus data-sale revenue — a lower threshold of 25,000 Virginia consumers applies if the business derives over 50% of gross revenue from selling personal data.
  • No general revenue threshold — unlike CCPA, VCDPA doesn't have a standalone gross-revenue trigger, so smaller high-volume consumer apps can be covered even without CCPA-scale revenue.
  • Vendors under contract — AI vendors below the direct thresholds are frequently bound anyway through processor agreements when their customers are covered controllers.

Data Protection Assessments: The Part Most Teams Skip

Beyond the opt-out itself, VCDPA requires controllers to conduct a documented data protection assessment before engaging in profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion into private affairs. These assessments aren't filed with the state proactively, but they must be produced on request during an Attorney General investigation — and "we never wrote one" is not a defensible position once that request lands.

How This Compares to California's ADMT Rules

Businesses building a California-first ADMT compliance program often assume it covers Virginia too. It usually gets close, but not exactly:

  • California's ADMT rules add a pre-use notice and access-rights layer VCDPA doesn't require.
  • VCDPA enforcement runs exclusively through the Attorney General — no private right of action, unlike some other emerging state frameworks.
  • VCDPA's profiling definition and its "legal or similarly significant effects" test have their own case history distinct from California's "significant decision" standard.
  • Cure periods and enforcement posture differ, so a Virginia-specific gap analysis is still worth the hour it takes.

Compliance Checklist for AI Businesses

Don't let a California-only compliance program leave Virginia exposure unchecked.

Confirm whether you cross the 100K or 25K+data-sale Virginia consumer thresholdsStart here
Inventory AI decisions with legal or similarly significant effects on Virginia residentsEssential
Build a working opt-out mechanism for profiling, distinct from general data-sale opt-outsEssential
Draft and retain data protection assessments before deploying new profiling use casesEssential
Update vendor contracts to flow down VCDPA obligations to AI processorsEssential
Cross-check against California ADMT and Colorado Privacy Act requirements for multistate coverageMultistate businesses

Compliance gaps compound across your whole web presence

Privacy notices and opt-out flows need to be reachable and usable, which is also an accessibility question. RatedWithAI scans your site for the issues that turn into complaints.

Scan Your Site for Free →

Frequently Asked Questions

Can Virginia residents sue directly under VCDPA?

No. VCDPA has no private right of action. Enforcement runs exclusively through the Virginia Attorney General, which can pursue civil penalties after a cure period for first-time violations.

Does VCDPA apply if I'm not headquartered in Virginia?

Yes. VCDPA applies based on whether you process the personal data of Virginia residents, not where your business is located. Any AI product with a meaningful Virginia user base needs to check coverage.

Is VCDPA's opt-out the same as an opt-out of targeted advertising?

No. VCDPA separately addresses opt-outs for targeted advertising, sale of personal data, and profiling for legal or similarly significant decisions. A single global opt-out preference signal can cover all three, but businesses need distinct internal logic to honor each correctly.

Do I need a Virginia-specific assessment if I already did one for California?

You can often reuse the underlying risk analysis, but the assessment should explicitly address VCDPA's own risk categories and be retrievable on its own if the Virginia AG requests it — a California-labeled document alone may not satisfy that.

Related Guides