Virginia Consumer Data Protection Act

Virginia Consumer Data Protection Act, in force 1 Jan 2023 — the second comprehensive US state privacy law after CCPA, establishing the 'Virginia template' subsequently followed by CO, CT, UT, TX, IA, IN, TN, OR, MT, DE, NE, NH, NJ, KY, RI, MN, MD (modified) and the Oklahoma + Alabama 2027 entrants. Template: five rights (access, correct, delete, portability, opt-out of sale/targeted/profiling), 45-day SLA, sensitive-data opt-in, DPA for triggering activities, AG-only enforcement, civil penalties up to $7,500/violation, cure period retained in VA.

Composition

14 controls currently indexed; participates in 7 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Consumer / Data Subject / Data Principal rights response SLA
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• GDPR data subject rights — Articles 12-22 operational implementation
• PII principal rights — comprehensive ISO 27701-anchored programme
• Processor / service provider contract requirements across jurisdictions
• Sensitive personal information — heightened protection across jurisdictions