VCDPA Cookie Compliance: A Comprehensive Guide for Businesses

The Virginia Consumer Data Protection Act is one of the few privacy laws in US states that requires obtaining cookie consent in certain cases.

In this comprehensive guide, we will delve into the world of VCDPA cookie compliance, exploring the key concepts, obligations, and best practices that businesses need to know. Whether you're an e-commerce giant, a local service provider, or a website owner, understanding and implementing VCDPA cookie compliance is essential for building trust with your Virginia-based audience and avoiding hefty penalties from the Attorney General.

In this article, we’ll delve into:

• VCDPA cookie consent requirements,
• The importance of a compliant privacy notice,
• VCDPA consumer requests,
• Data Protection Assessments, and
• How to comply with the VCDPA cookie requirements.

But first, let’s check whether the VCDPA applies to you.

Does the VCDPA Apply to Your Business?

The Virginia Consumer Data Protection Act (VCDPA) applies to you if you conduct business in Virginia or serve Virginia residents, provided that you meet the following criteria:

• Handling or processing personal data belonging to a minimum of 100,000 Virginia residents, or
• Handling or using personal information from at least 25,000 Virginia consumers and deriving more than 50% of your gross income from the sale of personal data.

Unlike privacy laws in other U.S. states, the VCDPA does not set a specific gross revenue threshold within a calendar year.

There are certain exemptions to compliance under the Virginia Consumer Data Protection Act. State governments, non-profit organizations, and personal information regulated by industry-specific privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), among others, are exempt from VCDPA requirements.

Additionally, the VCDPA does not cover consumers' personal information when it pertains to employment-related contexts.

The personal information under the VCDPA scope must be information belonging to an identifiable natural person. De-identified data, publicly available information, or data in the employment context are not considered consumer personal data.

What is VCDPA Cookie Consent?

The Virginia CDPA provides a clear and specific definition of consent, ensuring businesses understand the requirements for obtaining consent from consumers.

According to the VCDPA:

"Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action."

Breaking down this definition, we can identify the key elements of consent as follows:

• Freely Given: Consent must be voluntary, without any coercion or pressure on the consumer to provide consent. You must not condition anything with consent.
• Specific: Consumers’ consent must be obtained for a particular purpose.
• Informed: Businesses are obligated to inform consumers about the purpose of data processing, ensuring transparency and clarity. Your privacy notice and privacy policy will help you do that.
• Unambiguous: Only affirmative action by the consumer means consent. It must be clear and explicit. The use of outdated cookie banners stating, "By browsing this website, you agree to the use of cookies," is no longer sufficient in Virginia when explicit cookie consent is required.

The definition further highlights that consent can be given in written form, including statements provided electronically. In the case of websites, this translates to unambiguous action on a cookie banner. If a user clicks on the "Accept Cookies" button, their data can be collected, and cookies can be utilized. However, if they choose to click "Declain Cookies" or take no action at all, cookies must not be used.

When to Request VCDPA Cookie Consent?

In general, the Virginia data privacy law does not require consent for data processing. It relies on the opt-out principle and allows data processing unless the consumer opts out.

However, it explicitly requires opt-in in certain situations: when processing sensitive personal data, children’s data, or data for unnecessary or new purposes.

1. VCDPA Consent for Processing Sensitive Personal Information

Under the VCDPA, explicit consent is required when processing sensitive personal information. This includes:

• Data revealing racial or ethnic origin, religious beliefs, mental or physical health information, sexual orientation, citizenship or immigration status,
• Genetic or biometric data for identification purposes,
• Personal data collected from a known child, or
• Precise geolocation data.

If your website or app utilizes cookies to process such data, you must obtain explicit consent before collecting it. You can acquire VCDPA cookie consent for sensitive personal information by presenting a privacy notice to consumers, either upon their website arrival or before downloading and using an app.

The consent must be freely given, informed, specific, and unambiguous, ensuring compliance with the VCDPA.

2. VCDPA Consent for Processing Children's Personal Information

You need parental consent to knowingly collect personal information from children under the age of 13.

Virginia’s VCDPA does not go into detail on how to obtain parental consent, but it points to the COPPA methods:

1. Signed parental consent form: Consent can be obtained by having parents sign a consent form, which can be returned via postal mail, fax, or electronic scan.
2. Verification through a payment method: Businesses may request verification by asking individuals to provide a credit card or other online payment method for verification purposes. A nominal charge may be applied, which can be refunded or not charged at all.
3. Video conference confirmation: Utilizing video conference calls or similar technology is permitted to visually confirm the identity of the parent or guardian providing consent.
4. Government-issued identification: Accepting a government-issued identification, such as a driver's license or passport, along with a signed consent form, is another acceptable method for obtaining consent.
   

3. VCDPA Consent for Processing Personal Information for New or Unnecessary Purposes

If you wish to process consumers' personal data for purposes beyond the originally collected intent, explicit consent is necessary.

This scenario arises when you have collected personal data for a specific purpose, but now seek to utilize it for a different business goal. For example, when you want to use your consumers’ fitness data for profiling them and serving targeted ads.

Similarly, if you collect personal data for one purpose, such as offering a flashlight app, but request additional unnecessary information like contact details and browsing history, explicit consent is required to collect and use that data.

For new or unnecessary purposes, consent may be obtained via a cookie banner before initiating data collection. Consumers should be informed about the new purposes, and the consent obtained should be specific, freely given, and unambiguous.

Privacy Notice

Consent must be informed. This is where a comprehensive and accessible privacy notice comes into play.

A privacy notice serves as a vital tool for businesses to communicate with their users and ensure that individuals are well-informed about how their personal data is being collected, used, and shared. Under the VCDPA, a privacy notice plays a crucial role in obtaining valid consent from consumers.

Most notably, you can process personal data without consent only for the disclosed purposes in your notice. If you want to use the collected data for another purpose, you need to ask for permission.

The privacy notice should provide a detailed overview of the specific purposes for which the data will be used. Whether it's for enhancing user experience, providing personalized recommendations, or facilitating targeted advertising, each purpose should be clearly and concisely explained. Additionally, the notice should outline the categories of personal data that will be collected, ensuring individuals are aware of the types of information that will be processed.

To ensure compliance with the VCDPA, businesses should regularly review and update their privacy notice to reflect any changes in data processing practices or legal requirements.

Consumer Requests

Consumers have consumer rights, and you must establish robust methods and procedures to honor consumer requests and uphold individuals' privacy rights.

Consumers are granted various rights, including the right to access their personal data, the right to request deletion of their data, the right to opt out of the sale of personal data, and other related rights.

Additionally, consumers have the right to request specific information regarding their consent and the processing of their personal data.

To effectively address consent-related consumer requests and ensure compliance with the VCDPA, businesses should implement the following measures:

Right to know and access to personal data: Consumers have the right to know which categories of personal data you have collected about them, including with their consent. You also must disclose the categories of third parties with whom it has been shared.

Proof of consent: Consumers have the right to request proof that they have given consent for the processing of their personal data. Having a system for storing and management of consent, such as timestamped records or confirmation emails, is essential to address these requests effectively.

Right to deletion: Consumers have the right to request the erasure of their personal data collected upon their consent.

Opt-out of sale of personal data: If a business sells personal data, it must provide consumers with a clear and accessible option to opt out of such sales.

Data Protection Assessments

Keeping in mind that obtaining consent means processing activities involving children's data and sensitive data, it is crucial for businesses to perform thorough data protection assessments.

These assessments enable businesses to evaluate the risks associated with such processing activities, determine the necessity of processing personal data subject to consent, and develop effective risk management strategies.

Here's how businesses can benefit from this requirement:

Assessing Risks: A comprehensive data protection assessment can identify the potential risks associated with processing children's data or sensitive data. This assessment involves analyzing the types of data being processed, the purposes of the processing, the potential impact on individuals, and the security measures in place.

Necessity of Processing: Processing sensitive data is a risk in itself. Do you really need to process it? The assessment provides insights into whether the processing of personal data subject to consent is genuinely necessary for the intended purposes. It helps you evaluate if there are alternative methods or legal bases for processing that could minimize risks while achieving the desired outcomes.

Risk Management Strategies: The assessment will enable you to develop effective risk management strategies, such as technical and organizational measures to mitigate identified risks. This includes encryption, access controls, data minimization, and regular security audits.

VCDPA v. CCPA/CPRA v. GDPR

Virginia is the second state to pass privacy legislation in the United States. It follows the trail set by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

It draws many similarities with them, most notably the reliance on the opt-out principle in the use of cookies and other trackers. As a result, it is equally similar to the state data protection laws of Colorado, Utah, Connecticut, and Iowa.

However, it is not very similar to the EU’s General Data Protection Regulation (GDPR). The landmark European law requires opt-in for most of the data processing. As a consequence, many other legal requirements between the two laws differ.

Non-Compliance and Penalties

The Virginia Consumer Data Protection Act imposes significant penalties for non-compliance, including:

Monetary penalties: The VCDPA prescribes penalties of $2,500 per violation and $7,500 per intentional violation per incident. This means that a business intentionally violating the rights of 100 consumers could face fines of up to $750,000. In the case of violating the rights of 1,000 consumers, the penalty could escalate to a staggering $7.5 million. These penalties can accumulate swiftly.

Injunctive relief: In addition to monetary penalties, the VCDPA grants the Virginia Attorney General the authority to seek injunctive relief. This allows the Attorney General to initiate legal action in state court to enjoin violations or threatened violations of the VCDPA.

Private Right of Action: Consumers also have the right to bring class actions against non-compliant businesses.

Beyond legal and financial consequences, non-compliant businesses risk damaging their reputation and losing consumer trust. Privacy breaches or mishandling of personal data can lead to negative publicity, erosion of customer loyalty, and a tarnished brand image.

How to Comply with VCDPA Cookie Requirements

The easiest way to meet the VCDPA cookie compliance requirements is to use a consent management platform. There are several reasons why it is a good practice:

• They have teams dedicated to tracking data protection laws worldwide and implementing them in the CMP
• Their pricing is affordable for businesses of all sizes, and
• They take care of bugs and other everyday software issues.