The VCDPA Template: Virginia, Colorado, Connecticut & the Wave

After California, a second model emerged, and most states adopted it rather than California's. Virginia's Consumer Data Protection Act, the V-C-D-P-A, set a template that Colorado, Connecticut, Utah, Texas, and a growing list of others largely followed. The exam tests the template, not fifty separate statutes, because once you know the shared structure, you can answer most state-law questions and then layer on a few distinctions.

The template borrows GDPR-style vocabulary, controllers and processors rather than California's businesses and service providers, and it pairs opt-out rights for certain processing with opt-in consent for sensitive data. So learn this blueprint once, and you've learned the bulk of the multistate landscape.

The template's actors mirror the GDPR: a controller determines the purposes and means of processing, and a processor handles data on the controller's behalf under a contract, a data-processing agreement. Applicability usually turns on volume, controlling or processing the personal data of a threshold number of a state's residents, with a lower threshold when the business sells data. Crucially, these laws carry broad exemptions the exam tests: many exempt entities already regulated by GLBA or HIPAA at the entity level, exempt certain nonprofits, and exempt specific data already covered by F-C-R-A, HIPAA, and similar laws at the data level.

So a bank or a hospital may be exempt from the state comprehensive law for the very data those federal laws already govern, an important interaction between Domain two and Domain five.

The template's consumer rights are consistent and worth memorizing as a block. Consumers can access their data, correct it, delete it, and obtain a portable copy. They can opt out of three specific processing activities: targeted advertising, the sale of personal data, and certain profiling that produces significant effects.

And here's the template's signature difference from California: for sensitive data, race, health, sexual orientation, precise geolocation, biometric and children's data, these laws require opt-in consent before processing, not just an opt-out. Most template states also require a process for consumers to appeal a controller's denial of a rights request. So the mental model is opt-out for advertising, sale, and profiling, but opt-in for sensitive data, that opt-in-for-sensitive rule is the most testable contrast with California.

Now the distinctions, where the exam earns its harder questions. Colorado and Connecticut require controllers to honor a universal opt-out mechanism, a browser-level signal like the Global Privacy Control, while some states don't. Utah, and Texas at the outset, are more business-friendly, with somewhat narrower rights and no correction right in Utah's case.

Cure periods vary, the grace period to fix a violation before enforcement, some states sunset that cure period after a couple of years while others keep it. And almost uniformly across the template, enforcement belongs to the state attorney general, often exclusively, with no private right of action, which is a sharp contrast to California's breach-only private suit and Illinois BIPA's broad one. So the pattern is shared core, varied edges on universal opt-out, cure periods, and a couple of weaker-rights states.

The exemptions deserve a closer look, because they're where Domain two and Domain five collide and where the exam sets clever traps. The state laws use two kinds of carve-outs. An entity-level exemption takes an entire organization out of the law because it's regulated by another regime, several states exempt any business subject to GLBA, or any HIPAA covered entity, in full.

A data-level exemption is narrower: it removes only specific categories of data already governed by laws like F-C-R-A, GLBA, HIPAA, or the Driver's Privacy Protection Act, while the rest of the company's data stays covered. The crucial nuance is that states differ: some grant a sweeping entity exemption to GLBA-regulated businesses, while others exempt only the GLBA-regulated data, leaving the company's marketing and website data inside the state law. So you can't assume a bank or hospital is wholly exempt everywhere, you have to ask whether the particular state exempts the entity or just the data, and which data is at issue.

Here's the reasoning strategy that saves time. When a scenario is set in a non-California state, default to the template: controllers and processors, opt-out of targeted ads, sale, and profiling, opt-in for sensitive data, and an appeal right. Then check for the exemptions, if the actor or data is already governed by GLBA or HIPAA, the state law may not apply.

Then default to attorney-general-only enforcement with no private right of action, unlike California and Illinois. The classic trap imports a California-specific feature, like the sale-and-share distinction, the C-P-P-A regulator, or a private right of action, into a Virginia-template state where it doesn't belong. Read for the state, then choose the right model.

Recap: one shared template, GDPR-style roles, opt-out plus sensitive opt-in, broad exemptions, and AG enforcement, with universal-opt-out and cure-period variations. Now go test yourself, then on to state rights and consent in detail.