VCDPA compliance guidelines by Terratrue

April 27, 2022

VCDPA compliance a worry? TerraTrue’s got you covered.


The Virginia Consumer Data Privacy Act adds more work to the complexity of privacy laws today. TerraTrue’s VCDPA solution can make compliance manageable and stress-free.

The Virginia Consumer Data Privacy Act (VCDPA) is similar to the CPRA in a lot of ways. It covers a similar range of consumer information. It provides state residents with comparable rights over their information. It even comes into effect on the same day as the CPRA: January 1, 2023. 

The problem is “similar” doesn’t mean “the same.” Let’s be real: Every new state law just adds to the virtual alphabet soup that is compliance. It can feel overwhelming and confusing to discern one law for the next. The following aims to help you distinguish Virginia’s new law from the rest.


Virginia’s privacy law has a different scope, distinct categories of information, and its own particular consumer rights and business obligations. It’s close enough to cause confusion, but not close enough to just repurpose your CPRA compliance strategy, which means a lot more work has just been dumped in your lap.

Fortunately, we’ve got you covered — just turn on TeraTrue’s VCDPA solution, and you’re on the path to compliance without ever having to reference back to the law.

Why is VCDPA compliance so challenging?

Gap analysis is tedious and time consuming

Because of the differences between the Virginia law and California’s CCPA and CPRA, you can’t simply repurpose your CPRA controls to meet VCDPA requirements.

Key differences include:

  • Scope: The VCDPA only covers consumer data, while the CPRA covers commercial data as well. 
  • Data definitions: The VCDPA has its own definitions for terms like “sensitive data” and “personal data.” For example, the law considers any data that’s “linked or reasonably linkable” to identifiable persons to be personal data. And unlike California’s law, It explicitly exempts de-identified data, but requires specific safeguards to prevent its re-identification. 
  • Data sale: The VCDPA defines the “sale” of data differently than the CPRA; Virginia only counts a transaction as a data sale if you receive money in exchange for data, while in California, exchanging data for other benefits also counts as selling it.
  • Consumer rights: Virginia’s opt-out rights for targeted advertising go a step further than CPRA opt outs, covering any processing for targeted ads — not just cross-contextual ads, like the CPRA covers.
  • Assessments: While the CPRA has requirements for audits and assessments, those requirements are still in development. The VCDPA, on the other hand, comes with more explicit requirements. It requires data protection assessments for a wide range of data processing activities, including targeted ads, sale of personal data, and data profiling and processing that presents a risk of injury or harm to the consumer.

Even for a skilled privacy team addressing just one law, building a compliance program on such a tight deadline would be a challenge. But establishing compliance programs for multiple states by the beginning of 2023 could be downright overwhelming. 

There are many difficult questions to answer. Should you build two separate systems to handle consumer requests, or try to engineer one that meets all the requirements? Will you have to conduct a whole new round of DPIAs once California finalizes its rules, or will you be able to use the reviews you’ve already completed? How do you even handle data tagging and documentation, when each state has its own definitions for terms like “sensitive data?”

There’s really no possible manual, ad-hoc solution. Manually tracking and fulfilling all your obligations to a continuously expanding set of legislation will be an incredible amount of work. And even if you can handle that, you still have to account for new laws and future rulemaking activities, which could require major changes to your controls at any time.

Automate compliance with the VCDPA.

How does TerraTrue solve VCDPA compliance?

TerraTrue has released a new VCDPA module in its platform. Just turn it on, and you can get started preparing for Virginia compliance.

Automate gap analysis

TerraTrue saves you from digging through old documentation, using your launches to spot and flag any actions you need to take to comply with the VCDPA. For example, let’s say you released a consumer-facing app that requests personal information two years ago and created a launch in TerraTrue. When you activated the VCDPA module, it would look at factors like what information the app requested, how it used the information, and whether you were giving users the information and opt-out (or opt-in) options the law requires. So if the module saw that you weren’t telling users how the app used their data or giving them a way to opt out, it would tell you to amend your privacy policy and add opt-out controls.

By automating reviews and recommendations, the VCDPA can save you hundreds of hours. Otherwise, you’re searching through old privacy worksheets and DPIAs, to check them against VCDPA requirements. It also eliminates the significant risk of human error that comes with manually reviewing thousands of pages of documents — not to mention the cost of all that time.

Eliminate duplicate work

With manual reviews, a change in the law can invalidate much of your work. You’ll need to go through your documentation again, evaluating your practices against the new standards. Similarly, you won’t get a lot of use out of the work you’ve already done on other compliance regimes, even if they’re extremely similar to the Virginia CDPA .

With TerraTrue, the work you’ve done doesn’t come undone with a new law or a change in an existing one. Once you’ve filled out a project launch, the software can scan it for any future compliance goals. Just select the rule and go. You can check your data practices and disclosures against anything legislators or regulatory bodies throw your way, identifying required changes in minutes.

A single pane for all your compliance burdens

Your privacy and compliance team only has so much time and so many resources. Anything you can do to consolidate your compliance strategies into a single, manageable program is worth doing.

TerraTrue enables you to set, organize, and address all your compliance priorities in a single tool. That makes it easy to spot legal overlaps and build strategies that address multiple laws at the same time.

Just as importantly, TerraTrue helps you spot those times when it’s better (or necessary) to impose separate controls. For example, VCDPA only covers consumer data and has carve outs for certain industries that the CPRA doesn’t have. On the other hand, the VCDPA goes further than the CPRA in a number of ways, such as by requiring companies to have an internal appeal process if a data request is denied.

TerraTrue provides a complete map of your data and data practices, making it easy to visualize and weigh the costs and drawbacks of providing a single set of combined data rights. That makes it easier to choose the right compliance strategy for your company.

Smarter compliance with each privacy review

With each DPIA, privacy review, and product launch, TerraTrue automatically learns about your needs and priorities. It registers what data types you use, what reviews you routinely need, and what privacy practices you use to protect your data. And the app uses machine learning to become a better privacy guide, making smarter recommendations and saving you time. 

Panic doesn’t have to be part of your compliance strategy. TerraTrue can take the stress out of VCDPA compliance.

Contact us today for a quick walkthrough of our VCDPA module.