Virginia VCDPA AI Profiling Opt-Out Requirements 2026
Most AI privacy content fixates on California. But Virginia's Consumer Data Protection Act was the second comprehensive state privacy law in the country, and its profiling opt-out right applies squarely to AI-driven lending, hiring, insurance, and pricing decisions — with its own scope, assessment duties, and exemptions that don't mirror CCPA.
Why Virginia Matters Beyond California
Every AI compliance conversation defaults to CCPA and the EU AI Act, but Virginia's VCDPA was the second comprehensive U.S. state privacy law, and its profiling opt-out right predates most of the ADMT-style regulations getting attention today. If your AI system touches consumers in Virginia — not just California — you have a separate statute with its own coverage tests to satisfy, and it doesn't automatically fall out of a CCPA-focused compliance program.
The core right: Virginia consumers can opt out of profiling used to further decisions that produce legal or similarly significant effects — credit and lending, housing, employment, education, healthcare services, insurance, and access to essential goods and services. If your AI scores, ranks, or screens people for any of those outcomes, VCDPA's opt-out applies.
Who Has to Comply
- 100,000+ Virginia consumers — controllers that process the personal data of at least 100,000 Virginia residents in a calendar year are covered outright.
- 25,000+ consumers plus data-sale revenue — a lower threshold of 25,000 Virginia consumers applies if the business derives over 50% of gross revenue from selling personal data.
- No general revenue threshold — unlike CCPA, VCDPA doesn't have a standalone gross-revenue trigger, so smaller high-volume consumer apps can be covered even without CCPA-scale revenue.
- Vendors under contract — AI vendors below the direct thresholds are frequently bound anyway through processor agreements when their customers are covered controllers.
Data Protection Assessments: The Part Most Teams Skip
Beyond the opt-out itself, VCDPA requires controllers to conduct a documented data protection assessment before engaging in profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact, financial or physical injury, or intrusion into private affairs. These assessments aren't filed with the state proactively, but they must be produced on request during an Attorney General investigation — and "we never wrote one" is not a defensible position once that request lands.
How This Compares to California's ADMT Rules
Businesses building a California-first ADMT compliance program often assume it covers Virginia too. It usually gets close, but not exactly:
- California's ADMT rules add a pre-use notice and access-rights layer VCDPA doesn't require.
- VCDPA enforcement runs exclusively through the Attorney General — no private right of action, unlike some other emerging state frameworks.
- VCDPA's profiling definition and its "legal or similarly significant effects" test have their own case history distinct from California's "significant decision" standard.
- Cure periods and enforcement posture differ, so a Virginia-specific gap analysis is still worth the hour it takes.
Compliance Checklist for AI Businesses
Don't let a California-only compliance program leave Virginia exposure unchecked.
Compliance gaps compound across your whole web presence
Privacy notices and opt-out flows need to be reachable and usable, which is also an accessibility question. RatedWithAI scans your site for the issues that turn into complaints.
Scan Your Site for Free →Frequently Asked Questions
Can Virginia residents sue directly under VCDPA?
No. VCDPA has no private right of action. Enforcement runs exclusively through the Virginia Attorney General, which can pursue civil penalties after a cure period for first-time violations.
Does VCDPA apply if I'm not headquartered in Virginia?
Yes. VCDPA applies based on whether you process the personal data of Virginia residents, not where your business is located. Any AI product with a meaningful Virginia user base needs to check coverage.
Is VCDPA's opt-out the same as an opt-out of targeted advertising?
No. VCDPA separately addresses opt-outs for targeted advertising, sale of personal data, and profiling for legal or similarly significant decisions. A single global opt-out preference signal can cover all three, but businesses need distinct internal logic to honor each correctly.
Do I need a Virginia-specific assessment if I already did one for California?
You can often reuse the underlying risk analysis, but the assessment should explicitly address VCDPA's own risk categories and be retrievable on its own if the Virginia AG requests it — a California-labeled document alone may not satisfy that.