What the VCDPA Covers and Who It Applies To
The Virginia Consumer Data Protection Act took effect on 1 January 2023, making Virginia the second US state after California to enact a comprehensive consumer privacy law. Unlike the CCPA, it does not include a revenue threshold. Applicability depends entirely on data volume.
The VCDPA applies to organisations that conduct business in Virginia or target products and services at Virginia residents and, during the calendar year, meet one of two criteria: control or process personal data of at least 100,000 Virginia residents, or derive over 50 per cent of gross revenue from the sale of personal data while controlling or processing the data of at least 25,000 Virginia residents.
Personal data under the VCDPA means any information linked or reasonably linkable to an identified or identifiable natural person. A consumer is defined as a Virginia resident acting in an individual or household context - not in a commercial or employment role.
The Opt-Out Model: How VCDPA Handles Cookie Consent
The VCDPA follows an opt-out consent model. Businesses may process personal data by default, provided consumers have a clear mechanism to opt out. There is no blanket requirement to obtain prior consent before setting cookies.
This stands in sharp contrast to the GDPR's opt-in approach under Article 5(3) of the ePrivacy Directive, where non-essential cookies require affirmative consent before placement. Under the VCDPA, your website can load analytics and advertising cookies without a consent gate - but you must offer visitors the ability to refuse.
Three situations still require explicit opt-in consent under the VCDPA:
- Sensitive data - racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric identifiers, and precise geolocation data
- Children's data - personal data collected from a known child under 13, consistent with COPPA requirements
- New processing purposes - if you later decide to use previously collected data for a purpose not disclosed at the time of collection
If your website sets cookies that process any of these sensitive categories, you need affirmative opt-in consent from the user before those cookies fire.
Consumer Rights Under the VCDPA
Virginia residents have five core rights under the VCDPA. Each right carries practical consequences for how your website handles data and cookies.
| Consumer Right | What It Means for Your Website |
|---|---|
| Right to access | Consumers can request confirmation of whether you process their personal data and obtain a copy |
| Right to correction | Consumers can ask you to correct inaccurate personal data |
| Right to deletion | Consumers can request deletion of their personal data, including data collected via cookies |
| Right to data portability | Consumers can obtain their data in a portable, readily usable format |
| Right to opt out | Consumers can opt out of targeted advertising, the sale of personal data, and profiling |
The right to opt out is the most relevant for cookie compliance. You must provide a clear, accessible opt-out mechanism - typically through a link labelled "Do Not Sell My Personal Data" or a similar control within your cookie banner.
VCDPA vs CCPA: Key Differences for Website Owners
Both laws govern consumer data rights, but the structural differences are significant. Understanding them matters if your website serves visitors in both states.
| Feature | VCDPA (Virginia) | CCPA/CPRA (California) |
|---|---|---|
| Effective date | 1 January 2023 | 1 January 2020 (CCPA); 1 January 2023 (CPRA amendments) |
| Revenue threshold | None | $25 million annual gross revenue |
| Data volume threshold | 100,000 consumers or 25,000 consumers + 50% revenue from data sales | 100,000 consumers/households or 50% revenue from data sales |
| Definition of "sale" | Exchange for monetary consideration only | Exchange for monetary or other valuable consideration |
| Sensitive data | Opt-in consent required | Opt-out approach under CPRA |
| Private right of action | No - AG enforcement only | Yes - consumers can sue for data breaches (up to $750 per incident) |
| Cure period | 30 days | Removed under CPRA |
| Data protection assessments | Required for certain processing | Not currently required |
| Employee/B2B data | Excluded | Included under CPRA |
The narrower definition of "sale" is notable. Under the CCPA, sharing data with an ad network for targeted advertising can count as a sale even without a direct monetary exchange. The VCDPA only considers it a sale when money changes hands. Sharing cookies like _fbp or _ga with third parties for advertising may not qualify as a "sale" under Virginia's definition, though it could still fall under "targeted advertising" - which consumers can separately opt out of.
Enforcement and Penalties
The Virginia Attorney General holds exclusive enforcement authority over the VCDPA. There is no private right of action, meaning individual consumers cannot file lawsuits for violations.
Before bringing an enforcement action, the AG must issue a notice of violation. Businesses then have 30 days to cure the issue. If the violation remains unresolved, the AG can pursue civil penalties of up to $7,500 per violation, along with injunctive relief and reasonable expenses.
In February 2026, Virginia AG Jay Jones announced full enforcement of new VCDPA amendments targeting minors on social media. Since 1 January 2026, social media platforms must use commercially reasonable methods to determine whether a user is under 16 and must limit minors to one hour of daily use unless a parent consents to a longer duration. This signals an increasingly active enforcement posture from the AG's office.
What the VCDPA Means for Your Cookie Setup
Because the VCDPA uses an opt-out model, your technical obligations differ from a GDPR-focused setup. Here is what to consider:
Analytics cookies like _ga, _gid, and _gat can fire by default for Virginia visitors. But you must provide a mechanism to opt out of targeted advertising and data sales. If your Google Analytics 4 configuration shares data with Google's advertising products, the opt-out obligation applies.
Marketing cookies such as _fbp, _ttp, and _gcl_au fall squarely under "targeted advertising." Virginia consumers must be able to refuse these. A properly designed cookie banner with an opt-out toggle for marketing or advertising cookies satisfies this requirement.
Functional cookies like pll_language or PHPSESSID do not typically involve targeted advertising or data sales, so they fall outside the opt-out scope.
If your site also serves EU visitors, you likely already run an opt-in banner under the GDPR. A geo-targeted approach works well: show an opt-in banner to EEA visitors and an opt-out banner (or no banner, with a clear opt-out link) to Virginia visitors.
Global Privacy Control and the VCDPA
Unlike some other state laws such as the Colorado Privacy Act, the VCDPA does not currently mandate recognition of Global Privacy Control (GPC) signals. Businesses are not required to treat a GPC signal as a valid opt-out request under Virginia law.
That said, honouring GPC is a practical choice. If your site already processes GPC signals for CCPA compliance, extending that behaviour to Virginia visitors adds minimal technical overhead and demonstrates good faith.
How the VCDPA Fits Into the Wider US Privacy Landscape
Virginia was the second state to pass a comprehensive privacy law, after California. Since then, more than a dozen states have followed with their own legislation, including Colorado, Connecticut, and Texas. Many of these newer laws borrow heavily from the VCDPA's structure. The US state privacy laws comparison shows how Virginia's framework became a template for opt-out based privacy legislation across the country.
For website owners, the practical takeaway is straightforward. If you set up a compliant opt-out mechanism for Virginia, you are well positioned to meet the requirements of most other US state privacy laws that followed.
Frequently Asked Questions
Does the VCDPA require a cookie consent banner?
The VCDPA does not specifically require a cookie consent banner. It requires an opt-out mechanism for targeted advertising, data sales, and profiling. A cookie banner with opt-out controls is one effective way to provide this, but a clear opt-out link elsewhere on your site can also suffice.
Do I need opt-in consent for analytics cookies under the VCDPA?
No. The VCDPA follows an opt-out model, so analytics cookies can load by default. Opt-in consent is only required for sensitive data, children's data, or new processing purposes not originally disclosed.
What is the penalty for violating the VCDPA?
The Virginia Attorney General can impose civil penalties of up to $7,500 per violation. There is no private right of action, so individual consumers cannot sue. The AG must give a 30-day cure period before taking enforcement action.
Does the VCDPA apply to small businesses?
The VCDPA has no revenue threshold, but it does require data volume thresholds to be met. You must control or process the personal data of at least 100,000 Virginia residents, or at least 25,000 if more than 50 per cent of your gross revenue comes from selling personal data.
How is the VCDPA different from the CCPA?
The VCDPA defines "sale" as monetary exchange only, excludes employee and B2B data, requires data protection assessments, and does not allow consumers to file private lawsuits. The CCPA has broader definitions and includes a private right of action for data breaches.
Do I need to honour Global Privacy Control signals under the VCDPA?
The VCDPA does not currently require businesses to recognise GPC signals as valid opt-out requests. Some other state laws, like the Colorado Privacy Act, do mandate GPC recognition.
Take Control of Your Cookie Compliance
If you serve visitors from Virginia and other US states, a geo-targeted cookie setup helps you meet each jurisdiction's requirements without over-blocking. Kukie.io detects visitor locations, categorises your cookies, and provides the right consent experience for each region - whether that is an opt-in banner for the EU or an opt-out mechanism for US states.
