Discover the cookie consent requirements under Virginia's Consumer Data Protection Act (VCDPA) and learn how it compares to GDPR, CCPA, and CPRA. Find out if VCDPA applies to your business and explore explicit consent obligations for sensitive data, children's information, and new purposes. Learn the best practices for obtaining VCDPA cookie consent and the potential penalties for non-compliance. Simplify your compliance efforts with a cookie management platform designed to handle legal updates and ensure smooth implementation.
Virginia has joined the ranks of US states taking decisive action to protect consumers' personal information. The Virginia Consumer Data Protection Act (VCDPA) has introduced a comprehensive framework designed to ensure the privacy and security of personal data in the state.
Explore more privacy compliance insights and best practices
This means more rights for consumers, but also more legal requirements for businesses. That's a good reason to learn more about the VCDPA, particularly its cookie consent requirements.
The VCDPA is not as strict as the General Data Protection Regulation (GDPR) of the EU in terms of cookies. It draws similarities to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and follows the trend set by all the US states that have passed any kind of privacy law.
In this blog post, we will delve into the requirements for VCDPA cookie consent, shedding light on what businesses operating in Virginia need to know. As the second state in the United States to enforce its own data protection law, Virginia's VCDPA shares similarities with prominent consumer privacy regulations such as the CCPA and CPRA. However, compliance with the California laws doesn’t necessarily mean compliance with the Virginia law. That’s why it is important to recognize the unique nuances and specific provisions outlined in the VCDPA to ensure compliance.
VCDPA applies to you if you conduct business in Virginia or cater to Virginia residents, and if:
Unlike other US states’ privacy laws, it does not prescribe a gross revenue in a calendar year threshold.
The Virginia Consumer Data Protection Act exempts state governments and non-profit organizations from compliance requirements, as well as personal information regulated under industry-specific privacy legislation, such as data regulated under the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and others.
Consumers' personal information when acting in an employment context is also exempt.
The exact VCDPA definition of consent is:
“Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
This tells us that:
Consent must be:
The second part of the definition states that consent may be given in a written form, including a statement given by electronic means.
For websites, this means unambiguous action on a cookie banner. If the user clicks on the Accept Cookies button, you can use them and collect their data. If they click on Decline Cookies or do not click anywhere whatsoever, you must not use cookies.
You don't need to obtain cookie consent to comply with the VCDPA. You are free to use any type of cookies as long as consumers do not opt out of data processing.
Virginia's CDPA relies on the opt-out principle, which means that you are not required to get an opt-in from data subjects. You just need to allow them to opt out when they want.
However, there are three exceptions to this rule where you must obtain explicit users' consent:
Each exception deserves further explanation.
Although the processing of sensitive personal data is usually related to health information handled by hospitals or financial data handled by financial institutions, it doesn't mean that small businesses cannot fall under the scope of the VCDPA consent requirements.
The following categories of personal data are considered sensitive:
When it comes to processing personal data via cookies and trackers, they can collect only the data of a known child or precise geolocation data. If your website or app processes such data with the help of cookies, you need to obtain explicit consent before collecting it.
You can obtain VCDPA cookie consent for sensitive personal information via a privacy notice asking consumers if they agree to the processing of their data. This could happen when they arrive on the website, or before they download or start using an app, etc. It all depends on the context of your specific case.
You have to ensure that the consent is freely given, informed, specific, and unambiguous.
Getting informed consent is essential for valid consent, so having an up-to-date privacy policy is very important.
If you knowingly collect children's data, you must obtain parental consent.
VCDPA children's personal information is the personal information that identifies a child younger than 13 years of age.
Once the child turns 13, the Virginia privacy law does not consider them as a child, and these rules do not apply to them.
When you knowingly collect children's personal information, you need to obtain explicit consent from the parent or guardian of the child. This is not always straightforward in online business, so VCDPA refers to the consent requirements set out in the Children's Online Privacy Protection Act (COPPA).
It explicitly says that you can rely on the following methods:
You have collected consumers' personal data for a specific purpose. But now, you want to process it for another business goal. That triggers a consent requirement.
Let's say that you have collected consumers' financial statement data to provide them with your services related to financial products. Now you want to use the same data for profiling your customers in order to serve them with targeted ads.
The advertising purpose is a new one. When you collected their data, your privacy notice stated that the financial data would be used for the provision of services and products. Now you want to use it for advertising.
For the new advertising purpose, you need to get consent.
Let's say that you offer consumers a flashlight app. But before using it, you ask them for their contact information and browsing history. That data is not necessary for providing a flashlight app.
However, you can ask for that information. If you get consent, you can collect it and use it. If users don't give you consent, you must not collect it at all.
The opt-out principle described above allows freely processing data for purposes in line with the collected data. For any other purpose, you need consent.
Just ask for consent via a cookie banner before data collection. Do not use the cookies before getting unambiguous consent.
Also, ensure that the consumers are informed about your new purposes and that the consent is specific and freely given.
Obtaining consent is not the only consent-related requirement in the VCDPA. There are a few more that may be triggered due to consent collection. This includes storing and managing consent, data security, consumer requests to exercise consumer rights, and others.
Some of your duties will include:
VCDPA penalties are $2,500 per violation and $7,500 per intentional violation per incident. It means that if a business violates the rights of 100 consumers intentionally, they may face fines up to $750,000. Violating the rights of 1,000 consumers would mean a penalty of up to $7.5 million. It can add up quickly.
In addition to monetary penalties, the VCDPA also allows the Virginia Attorney General to seek injunctive relief, bringing actions in state court to enjoin any violations or threatened violations of the VCDPA.
Consumers also have a private right of action, which means that non-compliant businesses may face class-action lawsuits by consumers.
On top of that, businesses will lose consumer trust and reputation.
The best practice for obtaining VCDPA cookie consent is to use a cookie management platform (CMP). Using one offers numerous benefits for businesses of all sizes. These platforms provide a streamlined and efficient solution for managing user consent in compliance with data protection regulations. Here are some key advantages of utilizing a CMP:
