Primary Research · State Profile · VA
Virginia was the second US state to enact a comprehensive consumer privacy law — the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023 — and the law's profiling, sensitive data, and impact assessment provisions reach a significant share of AI deployments touching Virginia residents. The VCDPA applies to entities processing personal data of 100,000+ Virginia consumers (or 25,000+ if revenue-from-data thresholds are met) and was the legislative template that shaped Colorado, Connecticut, and several other state laws. Virginia is also a significant federal contractor and defense industrial base state, which means CMMC, NIST SP 800-171, and other federal frameworks frequently layer on top of state AI exposure.
Virginia's regulatory posture in 2026 is mature but not aggressive. The VCDPA's profiling opt-out, sensitive data consent, and data protection assessment requirements have been in force for three years and Virginia AG enforcement has been measured — the law includes a 30-day cure period and there is no private right of action. Virginia has been notably less active than California, Colorado, or Illinois on AI-specific legislation; comprehensive AI Act drafts have circulated but none has been enacted. Where Virginia does add unique exposure is at the intersection of state privacy law and the substantial federal contractor population — defense industrial base companies operating in Virginia frequently need to coordinate VCDPA compliance with CMMC 2.0 and NIST SP 800-171 implementations, which is not a trivial integration exercise.
Key provisions
Consumer rights of access, correction, deletion, portability, opt-out of targeted ads / sale / profiling; sensitive data consent; data protection assessments for high-risk processing; AG enforcement; 30-day cure period; no private right of action.
Various proposals have circulated to add AI-specific obligations on top of VCDPA. None has cleared the legislature; structure may eventually follow Colorado.
Sector-specific frameworks layer on top of state AI laws and frequently impose stricter or earlier-binding obligations. These are the sectors most exposed in Virginia.
Defense industrial base
Virginia has the largest defense contractor population in the US. CMMC 2.0, NIST SP 800-171, and DFARS overlay state AI exposure for any AI processing controlled unclassified information.
Financial services
VCDPA profiling opt-out is the binding state-level constraint; federal regulator expectations (OCC, FDIC, Federal Reserve) overlay for AI in credit and lending.
Healthcare
VCDPA exempts most HIPAA-covered data; consumer-health-adjacent AI applications are in scope.
Education
Virginia universities and Virginia state government AI use face both VCDPA and state procurement requirements.
Practical operational checklist for organizations subject to Virginia AI laws. Items are ordered by typical sequence of implementation, not by importance — most steps depend on the inventory work in the first item.
100,000+ consumers threshold or 25,000+ with revenue-from-data threshold.
Profiling opt-out applies to AI-driven decisions producing legal or similarly significant effects.
Required by VCDPA for sensitive data processing and high-risk profiling.
Integration is non-trivial; build a unified governance program rather than separate silos.
Required for health, biometric, genetic, geolocation, and similar categories.
Virginia AG has generally allowed the cure period; build incident response to take advantage.
No imminent enactment but structure likely to mirror Colorado eventually.
EFROS operates Virginia AI governance with particular focus on the intersection of VCDPA and federal contractor compliance — CMMC 2.0 + NIST SP 800-171 integration with state privacy law, profiling DPIA workflows, and AI vendor diligence in defense industrial base contexts. We support both commercial and defense-contractor clients with consolidated state-and-federal AI governance programs.
Disclaimer: this profile is a research dataset, not legal advice. Compliance determinations for Virginia businesses require analysis of specific facts and should be made in consultation with qualified legal counsel licensed in Virginia.
Reference this resource with attribution under CC-BY-4.0. Copy any of the formats below for academic papers, blog posts, AI citations, or vendor evidence packages.
Efros, S. (2026, May). Virginia AI Law Tracker — 2026. EFROS. https://efros.com/research/state-ai-law-tracker/virginia/
Efros, Stefan. "Virginia AI Law Tracker — 2026." EFROS, May 2026, https://efros.com/research/state-ai-law-tracker/virginia/.
Efros, Stefan. 2026. "Virginia AI Law Tracker — 2026." EFROS. https://efros.com/research/state-ai-law-tracker/virginia/.
S. Efros, "Virginia AI Law Tracker — 2026," EFROS, May 2026. [Online]. Available: https://efros.com/research/state-ai-law-tracker/virginia/
@misc{efros2026virginiaailawtra,
author = {Stefan Efros},
title = {Virginia AI Law Tracker — 2026},
year = {2026},
month = {May},
publisher = {EFROS},
url = {https://efros.com/research/state-ai-law-tracker/virginia/},
note = {Accessed: May 2026}
}https://efros.com/research/state-ai-law-tracker/virginia/
Site-wide citation metadata is also published as a CITATION.cff file at /CITATION.cff for citation-management tools and academic indexers.
All tracked US state AI laws in a single citation-ready dataset.
Open20 AI vendors scored on 12 US AI governance axes — including state-law overlays.
OpenFederal framework that anchors most state AI law deployer obligations.
OpenOperating program that implements multi-state AI law compliance.
Open5-minute classification across Colorado AI Act, NYC LL144, CA AB 2013, and NIST AI RMF.
Open