Virginia Has AI Regulations.
Is Your Business Ready?
Virginia's Consumer Data Protection Act, in effect since January 2023, includes provisions governing profiling and automated decision-making that directly affect how businesses deploy AI systems. Its data protection assessment requirements parallel the impact assessments emerging in AI-specific legislation.
Key Law: Virginia Consumer Data Protection Act (VCDPA) -- Data & AI Provisions
Status
Enacted
Effective Date
January 1, 2023
Penalties
Yes
Penalty Details
Enforced by the Virginia Attorney General with penalties of up to $7,500 per violation. No private right of action.
Key Industry Focus
Consumer data, profiling, automated decision-making
What This Means For Your Business
Here are the specific requirements and implications of Virginia's AI regulations for small businesses.
The VCDPA grants consumers the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Businesses must conduct data protection assessments for processing activities that present a heightened risk, including profiling.
Companies must provide clear privacy notices describing how personal data is used in automated processing and profiling.
Businesses processing personal data for targeted advertising or profiling must allow consumers to opt out.
Risk Factors for Virginia Businesses
Virginia's VCDPA is already in effect and applies to businesses meeting revenue or data-processing thresholds that serve Virginia consumers.
The profiling and automated decision-making provisions directly implicate many common AI use cases.
The Virginia Attorney General has enforcement authority and has signaled AI-related consumer protection as a priority.
VCDPA compliance overlaps significantly with AI governance best practices -- building documentation now covers multiple obligations.
The Insurance Risk Nobody Is Talking About
Regardless of where Virginia's AI legislation stands, your insurance exposure is real right now. Verisk's 2026 AI exclusion endorsements (CG 40 47, CG 40 48, CG 40 49) let carriers exclude AI-related claims from your general liability and professional liability policies at any renewal.
Underwriters deciding whether to attach these exclusions look for one thing: does this business have documented AI governance? An acceptable use policy, an AI tool registry, employee acknowledgments, and an incident response plan.
The governance documentation that satisfies Virginia's regulatory requirements is the same documentation your insurer wants to see. Two problems, one solution.
Get Your AI Governance Documentation in 15 Minutes
Complete AI governance kit — AI tool registry, acceptable use policy, employee acknowledgments, incident response plan, and insurance renewal summary. Built for small businesses in Virginia and beyond. $29 one-time.