Introduction to Virginia Privacy Rights
Virginia has positioned itself as a leader in consumer privacy protection, becoming only the second state in the nation to enact comprehensive consumer data privacy legislation. The Commonwealth's approach to privacy rights reflects a balance between protecting individual privacy and maintaining reasonable public access to government records. Virginia residents benefit from a multifaceted privacy framework that includes state-specific consumer data protections, robust data breach notification requirements, and one of the nation's oldest freedom of information statutes.
The Virginia Consumer Data Protection Act (VCDPA), which took effect on January 1, 2023, establishes significant rights for Virginia residents regarding their personal data. This legislation places Virginia alongside California as a privacy protection pioneer, though the two states take notably different regulatory approaches. While California's law applies more broadly to businesses, Virginia's statute targets larger data controllers and processors with specific revenue and data processing thresholds.
Beyond consumer privacy, Virginia maintains strong protections through the Virginia Freedom of Information Act (VFOIA), codified in Virginia Code § 2.2-3700 et seq., which has governed public records access since 1968. The state also enforces stringent data breach notification requirements under Virginia Code § 18.2-186.6, requiring faster notification timelines than many other states. Virginia residents additionally benefit from specific protections for health information, employment records, and financial data that extend beyond federal baseline requirements.
Compared to other states, Virginia offers above-average privacy protections, particularly in the consumer data space. However, unlike some states, Virginia does not have comprehensive biometric privacy legislation similar to Illinois' Biometric Information Privacy Act, nor does it restrict commercial use of personal information as extensively as California's regulations. The Commonwealth's privacy landscape continues to evolve through both legislative action and case law interpretation.
Virginia's State Privacy Laws
Virginia's privacy legal framework consists of several key statutes that work together to protect different aspects of personal information. The cornerstone of consumer privacy protection is the Virginia Consumer Data Protection Act (VCDPA), enacted as Virginia Code § 59.1-575 through § 59.1-585. This comprehensive legislation took effect on January 1, 2023, and applies to businesses that control or process the personal data of at least 100,000 Virginia consumers annually, or that control or process the personal data of at least 25,000 Virginia consumers while deriving over 50% of gross revenue from the sale of personal data.
The VCDPA grants Virginia consumers five fundamental rights: the right to access personal data a controller has collected, the right to correct inaccuracies, the right to delete personal data, the right to obtain a copy of personal data in a portable format, and the right to opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of automated decisions. Controllers must respond to consumer requests within 45 days, with a possible 45-day extension when reasonably necessary.
Data breach notification requirements are governed by Virginia Code § 18.2-186.6, which mandates that any individual or entity that maintains computerized data containing personal information of Virginia residents must provide notice of any security breach without unreasonable delay. The statute defines personal information as a Virginia resident's first name or first initial and last name in combination with Social Security numbers, driver's license numbers, or financial account numbers. Importantly, Virginia law requires notification to affected residents "without unreasonable delay" following discovery of a breach, though it does not specify an exact number of days. However, the Virginia Attorney General must be notified without unreasonable delay if the breach affects more than 1,000 residents. This makes Virginia's breach notification requirements among the more immediate in the nation.
Employee privacy rights in Virginia are protected through multiple statutes. Virginia Code § 40.1-28.7:5 restricts employer access to employee social media accounts, prohibiting employers from requiring or requesting employees or applicants to disclose passwords or access personal social media accounts as a condition of employment. Virginia Code § 40.1-28.7:7 further prohibits employers from requiring employees to add the employer or employment agency to their list of contacts associated with social media accounts. These protections, enacted in 2015, place Virginia ahead of many states in recognizing digital privacy rights in the employment context.
Virginia law also addresses employee monitoring and background checks. While Virginia does not require employers to notify employees of general workplace monitoring, the state's courts have recognized reasonable expectations of privacy in certain workplace contexts. Virginia Code § 19.2-389 governs the use and dissemination of criminal history record information, placing restrictions on how employers can obtain and use such records for employment decisions.
Financial privacy protections in Virginia extend beyond federal requirements. Virginia Code § 6.2-2600 through § 6.2-2623 comprises the Financial Privacy Act, which regulates how financial institutions may share nonpublic personal financial information. This statute requires financial institutions to provide clear privacy notices and allows consumers to opt out of information sharing with nonaffiliated third parties. Virginia's financial privacy protections align with federal Gramm-Leach-Bliley Act requirements while providing state-level enforcement mechanisms through the Virginia Bureau of Financial Institutions and State Corporation Commission.
Additional privacy protections include Virginia Code § 18.2-386.1, which criminalizes the unlawful videotaping or photographing of nonconsenting persons in private settings, and Virginia Code § 8.01-40, which creates a civil cause of action for invasion of privacy. These statutes provide both criminal and civil remedies for privacy violations, demonstrating Virginia's comprehensive approach to protecting personal privacy across multiple domains.
Freedom of Information / Open Records in Virginia
The Virginia Freedom of Information Act (VFOIA), codified at Virginia Code § 2.2-3700 through § 2.2-3714, establishes the right of Virginia citizens to access public records and attend meetings of public bodies. Enacted in its original form in 1968 and significantly amended in 1976, VFOIA embodies Virginia's policy that all public records and meetings should be presumptively open, "unless a specific and relevant exemption is properly invoked."
VFOIA defines "public records" broadly as all writings and recordings prepared or owned by, or in the possession of a public body or its officers, employees, or agents in the transaction of public business. This includes paper documents, electronic files, emails, text messages, photographs, video recordings, and any other format containing information relating to the conduct of the public's business. However, the definition explicitly excludes personal notes and correspondence of individual officials if not related to the transaction of public business.
To request records under VFOIA, you must submit a written request to the public body's FOIA officer or the custodian of the requested records. Virginia Code § 2.2-3704(F) requires each public body to designate and publicly identify one or more FOIA officers whose responsibility includes serving as a point of contact for members of the public requesting records. Your request should be as specific as possible, identifying the records sought with reasonable specificity. You are not required to state your reason for requesting the records or your intended use.
Public bodies must respond to FOIA requests within five working days from receiving the request. This response timeframe is among the shortest in the nation. The response must either provide the requested records, deny the request with citation to the specific exemption authorizing withholding, or indicate that providing the records requires additional time (up to seven additional working days). Virginia Code § 2.2-3704(B) permits the extension only when the request is voluminous or requires searching multiple locations.
Fee schedules under VFOIA are reasonable and may not exceed the actual cost of accessing, duplicating, supplying, or searching for records. Virginia Code § 2.2-3704(F) specifies that charges cannot exceed the actual cost incurred in accessing, duplicating, supplying, or searching for the requested records, and no public body may impose any extraneous, intermediary, or surplus fees or expenses to recoup general costs. Standard charges typically include: up to 50 cents per page for paper copies, actual cost of the medium for electronic records, and reasonable charges for staff time exceeding two hours spent searching or producing records. All charges must be estimated and provided to the requester before work begins if costs will exceed $200.
VFOIA contains numerous exemptions specific to Virginia. Virginia Code § 2.2-3705.1 through § 2.2-3706 detail mandatory and discretionary exemptions covering personnel records, records involving investigations of criminal activity, trade secrets and proprietary information, attorney-client privileged communications, and records relating to security of public facilities. Personal information exemptions under § 2.2-3705.1(1) protect home addresses, personal telephone numbers, and Social Security numbers of public employees and their family members. Medical records, scholastic records, and adoption records also receive specific exemptions.
The appeals process for VFOIA denials proceeds through two avenues. You may petition the Virginia Freedom of Information Advisory Council at foiacouncil@dls.virginia.gov or 804-225-3056 for an advisory opinion on whether a denial was proper. This informal process provides guidance but does not create binding legal authority. For binding relief, you must file a petition for mandamus or injunction in the Circuit Court of the jurisdiction where the record is located or where the public body has its principal office. Virginia Code § 2.2-3713 provides that if you substantially prevail, you may be awarded reasonable costs and attorney's fees. Conversely, if the court finds your petition was filed in bad faith or in a frivolous manner, the public body may recover its costs.
HIPAA and Health Privacy
The Health Insurance Portability and Accountability Act (HIPAA) establishes federal baseline protections for health information throughout the United States, including Virginia. HIPAA's Privacy Rule, codified at 45 CFR Part 160 and Part 164, Subparts A and E, governs how covered entities—healthcare providers, health plans, and healthcare clearinghouses—may use and disclose protected health information (PHI). In Virginia, all healthcare providers, from major hospital systems like VCU Health and Sentara Healthcare to individual practitioners, must comply with HIPAA requirements.
Virginia enhances federal HIPAA protections through state-specific health privacy laws. Virginia Code § 32.1-127.1:03 establishes strict requirements for health records confidentiality, mandating that health care entities maintain the confidentiality of health records and prohibiting disclosure except in specifically enumerated circumstances. This statute applies more broadly than HIPAA, covering health information held by entities that may not meet HIPAA's definition of covered entities.
Mental health and substance abuse records receive additional protection under Virginia law. Virginia Code § 37.2-804 specifically protects records of individuals receiving mental health services, requiring written consent for disclosure with limited exceptions for treatment, court orders, or emergencies. Similarly, Virginia Code § 37.2-804.2 addresses confidentiality of substance abuse records, often providing protections that exceed federal requirements under 42 CFR Part 2.
Virginia residents have specific rights regarding their medical records under both federal and state law. You have the right to access your medical records, typically within 30 days of request under HIPAA, though Virginia Code § 8.01-413 requires healthcare providers to produce copies within 15 days of a written request. Healthcare providers may charge reasonable fees for copying medical records, with Virginia regulations generally limiting charges to actual costs, typically between 50 cents and $1.00 per page, plus reasonable retrieval fees not exceeding $20.
To protect your medical records in Virginia, you should execute a HIPAA authorization form carefully, limiting disclosures to only what is necessary. You can request an accounting of disclosures to learn who has accessed your records. If you believe your health privacy rights have been violated, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights and with the Virginia Department of Health Professions at 804-367-4400. Virginia law also provides a private right of action for improper disclosure under Virginia Code § 8.01-40(B), allowing you to sue for damages resulting from health privacy violations.
Consumer Data Privacy Rights
Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents possess comprehensive rights regarding personal data collected, processed, and sold by businesses. These rights became enforceable on January 1, 2023, and apply to controllers conducting business in Virginia or producing products or services targeted to Virginia residents that meet the statutory thresholds.
Your core rights under Virginia Code § 59.1-578 include: (1) the right to confirm whether a controller is processing your personal data and to access that data; (2) the right to correct inaccuracies in your personal data; (3) the right to delete personal data you provided to the controller; (4) the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format; and (5) the right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise these rights, you must submit a request to the controller through the method the controller has established for such requests, typically found in the company's privacy policy. Controllers must respond within 45 days of receiving your request, though they may extend this period by an additional 45 days when reasonably necessary, with notice and explanation of the extension. Controllers cannot charge fees for responding to requests unless the requests are excessive, repetitive, or manifestly unfounded.
Opt-out rights in Virginia are particularly significant. Unlike California's approach, Virginia Code § 59.1-578(A)(5) provides a universal opt-out mechanism for the sale of personal data and targeted advertising. Controllers must provide a clear and conspicuous method for opting out, and they must honor opt-out preference signals sent by platforms, technology, or mechanisms that communicate consumer preferences. This means that if you use a browser or extension that sends opt-out signals, Virginia businesses must honor those signals.
Removing information from data brokers requires direct action with each data broker. Under Virginia Code § 59.1-581, data brokers (defined as businesses whose primary activity is collecting and selling consumer personal data) must register with the Virginia Attorney General and maintain systems for handling opt-out requests. Major data brokers operating in Virginia include Acxiom, Epsilon, Experian, LexisNexis, and CoreLogic. To opt out, visit each data broker's website and locate their privacy policy or opt-out page. Submit deletion requests citing your rights under the VCDPA. Keep records of all requests and responses.
For people-search websites like Spokeo, BeenVerified, WhitePages, Intelius, and PeopleFinder, you must typically visit each site individually and submit opt-out requests. Many of these sites maintain opt-out pages, though the process can be time-consuming. Some services like DeleteMe and OneRep offer paid assistance with bulk removals, though you can accomplish the same results through persistent individual requests.
Credit report rights in Virginia are governed by the federal Fair Credit Reporting Act (FCRA), which provides uniform protections nationwide. However, Virginia Code § 59.1-444.1 supplements federal law by requiring consumer reporting agencies to maintain toll-free numbers for fraud alerts and security freezes. You are entitled to one free credit report annually from each of the three major credit bureaus—Equifax, Experian, and TransUnion—through AnnualCreditReport.com. Virginia residents can place security freezes on credit reports free of charge under Virginia Code § 59.1-444.1:1, and credit bureaus must implement freezes within one business day of receiving electronic or telephone requests. You can dispute inaccurate information on credit reports by submitting written disputes directly to the credit bureau, which must investigate within 30 days under FCRA requirements.
Employment Background Checks & Privacy
Virginia employers must comply with both federal Fair Credit Reporting Act (FCRA) requirements and Virginia-specific statutes when conducting background checks and accessing employee information. Understanding these rules helps you protect your privacy rights and challenge improper use of your personal information in employment contexts.
Under Virginia Code § 19.2-389, criminal history record information maintained by the Virginia State Police may only be disseminated for specific authorized purposes. Employers may access criminal history records through the Central Criminal Records Exchange (CCRE), but they must comply with regulations established by the Department of State Police. Virginia Code § 19.2-392.02 requires employers seeking national criminal background checks to use authorized channels and maintain the confidentiality of records received.
What employers can and cannot access depends on the position and applicable regulations. For most private employers, access to criminal records is limited to convictions and pending charges. Virginia does not have a broad "ban-the-box" law prohibiting criminal history questions on initial applications for private employers. However, Virginia Code § 2.2-2817.1 prohibits most state agencies from including questions about criminal convictions on initial employment applications, with exceptions for public safety and other sensitive positions. Local jurisdictions, including Richmond and Alexandria, have enacted their own ban-the-box ordinances covering private employers within their boundaries.
When employers use third-party background check companies, they must comply with FCRA requirements, including obtaining written authorization, providing pre-adverse action notices if they plan to deny employment based on background check results, and giving applicants opportunity to dispute inaccurate information. Virginia employers must also comply with Virginia Code § 40.1-28.7:5, which prohibits requiring or requesting access to personal social media accounts as a condition of employment.
How long criminal records remain accessible varies by offense type. Convictions generally remain on Virginia criminal records indefinitely unless expunged. However, Virginia Code § 19.2-392.3 provides for automatic sealing of certain records. As of July 1, 2021, Virginia law allows for automatic sealing of conviction records for many offenses after waiting periods: misdemeanor convictions after seven years (if no subsequent convictions), and certain felony convictions after seven years. Charges that resulted in acquittal, dismissal, or nolle prosequi are automatically sealed.
For offenses not eligible for automatic sealing, Virginia Code § 19.2-392.2 establishes a petition process for expungement. You may petition the circuit court where the charge was disposed for expungement of police and court records if you were acquitted, charges were dismissed, you were pardoned, or you were convicted due to identity fraud by another person. The Virginia State Police maintain information on the expungement process at 804-674-2000 or through their Central Criminal Records Exchange.
To dispute inaccurate background check records, you should first obtain a copy of your own Virginia criminal history record from the Virginia State Police Central Criminal Records Exchange by submitting a notarized request form and fingerprints, with a $15 fee. If you identify inaccuracies, you can challenge them through the Virginia State Police at CCRE@vsp.virginia.gov or 804-674-2023. For court record errors, contact the clerk of the court where the case was handled. Under FCRA, if a background check company reports inaccurate information, you must dispute it directly with the company, which must investigate within 30 days. You can also file complaints with the Federal Trade Commission and Virginia Attorney General's Office if companies fail to correct inaccurate information.
Protecting Yourself in Virginia
Taking proactive steps to protect your privacy in Virginia requires systematic action across multiple domains. This practical guide provides specific steps you can take to minimize your digital footprint and protect your personal information.
Opting Out of People-Search Sites
People-search websites aggregate public records and other data to create detailed profiles. To remove your information, you must contact each site individually. Start with the largest sites: Spokeo (spokeo.com/optout), WhitePages (whitepages.com/suppression_requests), BeenVerified (beenverified.com/faq/opt-out), Intelius (intelius.com/optout), PeopleFinder (peoplefinder.com/manage), MyLife (mylife.com/privacy-policy), and TruthFinder (truthfinder.com/opt-out). Each site has different procedures, but most require you to search for your listing, copy the URL, and submit it through their opt-out form. Expect the process to take 24-72 hours per site, and note that you may need to repeat opt-outs periodically as data reappears. Document all opt-out requests with screenshots and confirmation emails.
Freezing Your Credit
Virginia law provides strong credit freeze protections under Virginia Code § 59.1-444.1:1. To freeze your credit with all three major bureaus, contact Equifax (800-349-9960 or equifax.com/personal/credit-report-services/credit-freeze), Experian (888-397-3742 or experian.com/freeze/center.html), and TransUnion (888-909-8872 or transunion.com/credit-freeze). You can also freeze your file with Innovis (800-540-2505) and the National Consumer Telecom & Utilities Exchange (866-349-5355). In Virginia, freezes must be implemented within one business day of electronic or telephone requests, and all freezes are free. When you freeze your credit, you receive a PIN or password that allows you to temporarily lift the freeze when you need to apply for credit. Consider also placing fraud alerts, which require only one bureau contact and automatically notify the other two.
Removing Public Records
While you cannot remove accurate public records from government databases, you can limit their accessibility in some circumstances. For court records, Virginia Code § 19.2-392.6 allows for sealing of certain criminal records. Contact the clerk of the circuit court where your case was handled to inquire about eligibility. For automatic sealing of eligible offenses, no action is required—the Virginia State Police Central Criminal Records Exchange automatically seals qualifying records. For other records, you may need to petition for expungement under Virginia Code § 19.2-392.2. The Virginia Indigent Defense Commission provides resources at publicdefender.virginia.gov.
Requesting Record Sealing or Expungement
To petition for expungement in Virginia, obtain certified copies of the final disposition from the court clerk where your case was handled. Complete the Petition for Expungement form (available from the circuit court clerk) and file it with the circuit court, paying the filing fee (approximately $86-$100, though fee waivers are available for indigent petitioners). Serve copies on the Commonwealth's Attorney and the Virginia State Police Central Criminal Records Exchange. The court will schedule a hearing where you must demonstrate that continued existence of the record causes or may cause circumstances that constitute a manifest injustice. If granted, the court orders all agencies to expunge the records. The entire process typically takes 3-6 months.
Key Virginia Contacts for Privacy Protection
Virginia Attorney General's Office Consumer Protection Section: 804-786-2042 or consumer@oag.state.va.us, for VCDPA complaints and consumer privacy issues. Virginia State Police Central Criminal Records Exchange: 804-674-2000 or CCRE@vsp.virginia.gov, for criminal history records and expungement processing. Virginia Freedom of Information Advisory Council: 804-225-3056 or foiacouncil@dls.virginia.gov, for public records access issues. Virginia Department of Health Professions: 804-367-4400, for healthcare privacy complaints. Virginia State Corporation Commission Bureau of Insurance: 804-371-9741, for insurance privacy matters. Virginia Employment Commission: 804-786-1082, for employment privacy issues.
Additional Protective Measures
Register with the National Do Not Call Registry at donotcall.gov or 888-382-1222 to reduce telemarketing calls. Opt out of prescreened credit offers through optoutprescreen.com or 888-567-8688, which removes your name from lists provided by credit bureaus to credit card companies and insurers. For direct mail reduction, register with DMAchoice.org (Direct Marketing Association's mail preference service) for $2. Consider using a P.O. Box or commercial mail receiving agency for public documents instead of your home address. When registering to vote in Virginia, you can request that your address be excluded from lists sold to commercial entities by checking the appropriate box on your voter registration form.
Virginia Data Breach Notification
Virginia's data breach notification law, codified at Virginia Code § 18.2-186.6, establishes comprehensive requirements for entities that experience breaches of personal information. Understanding these requirements helps you know what to expect if your information is compromised and what rights you have following a breach.
Who must notify under the statute includes any individual or entity that maintains computerized data that includes personal information of Virginia residents. This broad definition encompasses businesses, nonprofits, government agencies, and individuals who maintain such data, regardless of whether the entity is located in Virginia. The law applies equally to data owners and third-party service providers who maintain data on behalf of others.
Personal information is defined as a Virginia resident's first name or first initial and last name in combination with one or more of the following: Social Security number, driver's license number or state identification card number, or financial account number or credit card or debit card number in combination with any required security code, access code, or password that would permit access to the account. The definition excludes information that is encrypted, redacted, or otherwise secured in a manner that renders it unreadable or unusable.
Notification timeframe requirements mandate notice "without unreasonable delay" following discovery of a breach. Virginia Code § 18.2-186.6(B) does not specify a precise number of days, giving the statute flexibility but also creating some uncertainty. In practice, "without unreasonable delay" is generally interpreted as meaning as soon as possible after discovery and after completing an investigation to determine the scope of the breach and restore system integrity. Most entities aim for notification within 7-14 days of breach discovery to avoid claims of unreasonable delay.
When a breach affects more than 1,000 Virginia residents, the entity must notify the Virginia Attorney General without unreasonable delay. This notification must be submitted to the Consumer Protection Section at consumer@oag.state.va.us. The Attorney General's office maintains records of reported breaches and can take enforcement action for violations.
Notification content requirements are specific. Notice to affected individuals must include: a description of the breach in general terms, the type of personal information compromised, a general description of what the entity is doing to protect information from further breaches, a telephone number for further information and assistance, and advice to affected individuals to remain vigilant by reviewing account statements and monitoring credit reports. The notice may also include information about identity theft protection services offered by the entity.
Notice methods must be appropriate to the circumstances. Written notice by first-class mail to the last known address is standard. Alternatively, entities may provide electronic notice if that is the primary method of communication with the affected individuals. For situations where the cost of notice would exceed $50,000, the affected class exceeds 100,000 persons, or the entity lacks sufficient contact information, substitute notice is permitted through email if the entity has email addresses, conspicuous posting on the entity's website, and notification to major statewide media.
Penalties for violations can be substantial. Violations of the breach notification statute constitute a prohibited practice under the Virginia Consumer Protection Act, Virginia Code § 59.1-200. The Attorney General may seek civil penalties of up to $150,000 per breach incident (not per affected individual). Willful violations can result in higher penalties. Additionally, failure to provide timely notification can expose entities to civil lawsuits from affected individuals for damages resulting from the delayed notification. While Virginia Code § 18.2-186.6 does not create an explicit private right of action, affected individuals may pursue claims under common law negligence theories or the Virginia Consumer Protection Act.
Third-party agents or service providers who maintain personal data on behalf of other entities have specific notification obligations. If a third party experiences a breach, it must notify the data owner without unreasonable delay following discovery, and the data owner then becomes responsible for notifying affected Virginia residents and the Attorney General as required.
Children's Privacy (Virginia)
Children's privacy receives special protection under both federal law and Virginia-specific statutes. The federal Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission, applies throughout Virginia and requires operators of websites or online services directed to children under 13, or operators with actual knowledge they are collecting personal information from children under 13, to provide notice to parents, obtain verifiable parental consent before collecting children's information, allow parents to review and request deletion of their children's information, maintain reasonable data security, and retain children's information only as long as necessary.
Virginia enhances federal protections through the Virginia Consumer Data Protection Act (VCDPA). Virginia Code § 59.1-580 specifically addresses processing of children's personal data. Controllers must not process personal data of consumers under 13 for purposes of targeted advertising or sell such personal data without obtaining verifiable parental consent. For children between 13 and 16, controllers must obtain opt-in consent from the child before processing personal data for targeted advertising or sale, though parental consent is not required for this age group.
These Virginia-specific protections exceed COPPA requirements by extending some protections to teenagers and specifically addressing targeted advertising and data sales, practices not explicitly covered by COPPA. The VCDPA provisions became effective January 1, 2023, making Virginia one of the few states to provide statutory protections for teenagers' data beyond federal baseline requirements.
School records are protected under the federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, which applies to all schools receiving federal funding in Virginia. FERPA grants parents rights to inspect and review their children's education records, request amendment of inaccurate records, and control disclosure of personally identifiable information from education records. These rights transfer to students when they reach age 18 or attend a postsecondary institution.
Virginia supplements FERPA protections with state law requirements. Virginia Code § 22.1-287 addresses the confidentiality of scholastic records, limiting disclosure of student records without parental consent. Virginia regulations at 8VAC20-150 establish comprehensive requirements for student record maintenance, retention, and disclosure by Virginia school divisions. Virginia law provides parents broader access rights than FERPA's minimum requirements, including the right to inspect all materials used in any survey, analysis, or evaluation involving their children.
The Virginia Student Data Privacy Act, Virginia Code § 22.1-289.01, enacted in 2020, prohibits operators of educational technology services from using student personal information for targeted advertising, creating profiles for non-educational purposes, or selling student information. This statute specifically addresses the growing use of educational technology platforms and apps in Virginia schools, providing protections that extend beyond FERPA's original scope.
Parents concerned about their children's privacy in Virginia schools should request copies of privacy policies from their school division, review what data is collected through educational technology platforms, exercise their FERPA rights to review and challenge records, and opt their children out of directory information disclosure by submitting written requests to school administrators within the timeframes specified in annual FERPA notices (typically within the first few weeks of the school year).
Frequently Asked Questions
How do I exercise my rights under the Virginia Consumer Data Protection Act?
To exercise your VCDPA rights, visit the website or privacy policy of the business that has your data and locate their consumer rights request portal or contact information. Submit a request specifying which right you wish to exercise: access, correction, deletion, data portability, or opt-out. You do not need to explain why you are making the request. The business must respond within 45 days, though they may extend this by an additional 45 days with notice. If a business denies your request, you can appeal the decision to the business within a reasonable time, and they must respond within 60 days. If still unsatisfied, you can file a complaint with the Virginia Attorney General's Consumer Protection Section at 804-786-2042 or consumer@oag.state.va.us.
Can I seal or expunge my Virginia criminal record?
Virginia law provides for automatic sealing of many criminal records under Virginia Code § 19.2-392.3, effective July 1, 2021. Charges that resulted in acquittal, dismissal, or nolle prosequi are automatically sealed. Certain misdemeanor and felony convictions are automatically sealed after seven years if you have no subsequent convictions. For records not eligible for automatic sealing, you may petition for expungement under Virginia Code § 19.2-392.2 if you were acquitted, charges were dismissed or nolle prosequi, you received an absolute pardon, or you were convicted as a result of identity fraud by another person. File a petition with the circuit court where the case was disposed, along with certified case disposition documents and the filing fee. Contact the circuit court clerk in your jurisdiction or the Virginia State Police Central Criminal Records Exchange at 804-674-2000 for specific guidance.
How quickly must Virginia government agencies respond to public records requests?
Under the Virginia Freedom of Information Act (VFOIA), Virginia Code § 2.2-3704(B), public bodies must respond to records requests within five working days from receipt of the request. This is one of the shortest response times in the nation. The five-day response must either provide the requested records, deny the request with specific citation to exemptions, or inform the requester that more time is needed (up to seven additional working days) due to the volume of records or need to search multiple locations. If the agency states additional time is needed, they must specify when records will be provided. If an agency fails to respond within these timeframes, you can file a complaint with the Virginia Freedom of Information Advisory Council at 804-225-3056 or seek judicial enforcement through circuit court.