VCDPA: Frequently Asked Questions

If you have customers in Virginia then you probably already know, that the State of Virginia, introduced a new privacy legislation (“VCDPA“) on January 1st, 2023. Because of the potential impact of this legislation on your business we recommend taking the time to understand how VCDPA may affect you.

VCDPA is similar to CCPA and GDPR (European General Data Protection Regulation) in that its’ main themes are:

  1. Regulating the obtaining and storage of Personal Identifiable Information (PII)
  2. Regulating the sale of customers’ personal information
  3. Regulating the rights of customers: right to access, delete, request their personal data in a portable format, and opt-out of the sale of their personal data

However, as opposed to GDPR, VCDPA only directly applies to larger corporations and organizations.


Changes In Mouseflow

Here at Mouseflow, we’ve also had to prepare for VCDPA, but because we are already 100% GDPR and CCPA compliant, the changes have been relatively minor. The main change you will see in the Mouseflow app is that the last 3 digits of IP addresses from Virginia will be masked and replaced with ***, as well as all keystrokes from visitors from Virginia are automatically masked.


Making Sure You Are Ready For VCDPA

If want to make sure that you, as a Mouseflow customer, is set up for VCDPA we’ve made an official VCDPA Resource Page to help you. Be sure to check it out, as it contains useful information related to data collection in your Mouseflow account. We also recommend that you check out our guide on how to exclude content from being recorded with our easy to use Visual Privacy Tool.


This post will serve as a general FAQ, answering some common questions about VCDPA.

Q: What does VCDPA stand for?

A: VCDPA stands for the “Virginia Consumer Data Protection Act”.

Q: When does VCPDA start?

A: VCDPA (officially called SB1392) was adopted on Marc 2nd, 2021. It takes effect on January 1st, 2023.

Q: Who does VCDPA affect?

A: VCDPA applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of Virginia and satisfies at least one of the following thresholds:

  1. During a calendar year, control or process personal data of at least 100,000 consumers or
  2. Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Q: What is personal data?

A: VCDPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.

Q: How does Mouseflow comply with VCDPA?

A: Mouseflow automatically anonymizes IP addresses for website visitors from Virginia. Furthermore, we do not track ISP’s for visitors within Virginia. In addition Mouseflow disables the capture/tracking of keystrokes. This is useful if you don’t want to track data entered into input fields on your website.

Q: How has VCDPA affected Mouseflow?

A: Since December 2022, we have made changes to the Mouseflow accounts. This is to keep you safe, align with industry best practices, and aid in compliance with VCDPA. If you’re an account holder at Mouseflow your visitors’ IP addresses and ISP information will be anonymized for all visits made by users located within the State of Virginia (all other US visitors except for California residents will be unaffected).

Q: As a Mouseflow client, what do I need to do to be ready for VCDPA?

A: Mouseflow specifically prohibits the collection of personal data on your website. If your website logs personal data, you will need to use Mouseflow’s exclusion tools to ensure the data isn’t collected or processed.


Hopefully, this FAQ answers some of your questions regarding VCDPA. As an important reminder, please review the “What You Need to Do” section on our VCDPA page.

If you have any input or questions regarding VCDPA or Mouseflow please let us know by contacting us at