Mastering VCDPA Cookie Consent: Essential Tips for Achieving Compliance

Virginia has joined the ranks of US states taking decisive action to protect consumers' personal information. The Virginia Consumer Data Protection Act (VCDPA) has introduced a comprehensive framework designed to ensure the privacy and security of personal data in the state.

This means more rights for consumers, but also more legal requirements for businesses. That's a good reason to learn more about the VCDPA, particularly its cookie consent requirements.

The VCDPA is not as strict as the General Data Protection Regulation (GDPR) of the EU in terms of cookies. It draws similarities to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and follows the trend set by all the US states that have passed any kind of privacy law.

In this blog post, we will delve into the requirements for VCDPA cookie consent, shedding light on what businesses operating in Virginia need to know. As the second state in the United States to enforce its own data protection law, Virginia's VCDPA shares similarities with prominent consumer privacy regulations such as the CCPA and CPRA. However, compliance with the California laws doesn’t necessarily mean compliance with the Virginia law. That’s why it is important to recognize the unique nuances and specific provisions outlined in the VCDPA to ensure compliance.

Does VCDPA Apply to You?

VCDPA applies to you if you conduct business in Virginia or cater to Virginia residents, and if:

1. You handle or process the personal data of a minimum of 100,000 users.
2. You handle or use the personal information of at least 25,000 consumers and generate more than 50% of your gross income from selling personal data.

Unlike other US states’ privacy laws, it does not prescribe a gross revenue in a calendar year threshold.

The Virginia Consumer Data Protection Act exempts state governments and non-profit organizations from compliance requirements, as well as personal information regulated under industry-specific privacy legislation, such as data regulated under the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and others.

Consumers' personal information when acting in an employment context is also exempt.

What is VCDPA Cookie Consent?

The exact VCDPA definition of consent is:

“Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

This tells us that:

Consent must be:

• Freely given, which means that the consumer shall not be pushed into giving consent;
• Specific, which means that you need to obtain consent for a specific purpose, or in the case of the VCDPA, specifically ask for consent for the processing of children’s data, sensitive data, and so on;
• Informed, meaning that you need to disclose your processing purposes to consumers; and
• Unambiguous, preventing you from using cookies before they take affirmative action to confirm they are fine with cookies. Cookie banners stating “By browsing this website, you agree to the use of cookies” are a thing of the past in Virginia in cases where you must obtain cookie consent.

The second part of the definition states that consent may be given in a written form, including a statement given by electronic means.

For websites, this means unambiguous action on a cookie banner. If the user clicks on the Accept Cookies button, you can use them and collect their data. If they click on Decline Cookies or do not click anywhere whatsoever, you must not use cookies.

Do I Need to Obtain Cookie Consent Under the VCDPA?

You don't need to obtain cookie consent to comply with the VCDPA. You are free to use any type of cookies as long as consumers do not opt out of data processing.

Virginia's CDPA relies on the opt-out principle, which means that you are not required to get an opt-in from data subjects. You just need to allow them to opt out when they want.

However, there are three exceptions to this rule where you must obtain explicit users' consent:

1. When you process sensitive personal information,
2. When you collect children's personal information, and
3. When you want to process personal information for purposes other than those for which you collected the data.

Each exception deserves further explanation.

VCDPA Consent for Processing Sensitive Personal Information

Although the processing of sensitive personal data is usually related to health information handled by hospitals or financial data handled by financial institutions, it doesn't mean that small businesses cannot fall under the scope of the VCDPA consent requirements.

What is VCDPA Sensitive Personal Information

The following categories of personal data are considered sensitive:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• The personal data collected from a known child; or
• Precise geolocation data.

When it comes to processing personal data via cookies and trackers, they can collect only the data of a known child or precise geolocation data. If your website or app processes such data with the help of cookies, you need to obtain explicit consent before collecting it.

How to Obtain Cookie Consent for Sensitive Personal Data Processing?

You can obtain VCDPA cookie consent for sensitive personal information via a privacy notice asking consumers if they agree to the processing of their data. This could happen when they arrive on the website, or before they download or start using an app, etc. It all depends on the context of your specific case.

You have to ensure that the consent is freely given, informed, specific, and unambiguous.

Getting informed consent is essential for valid consent, so having an up-to-date privacy policy is very important.

VCDPA Consent for Processing Children’s Personal Information

If you knowingly collect children's data, you must obtain parental consent.

What is VCDPA Children's Information?

VCDPA children's personal information is the personal information that identifies a child younger than 13 years of age.

Once the child turns 13, the Virginia privacy law does not consider them as a child, and these rules do not apply to them.

How to Obtain Cookie Consent for Processing of Children’s Personal Information?

When you knowingly collect children's personal information, you need to obtain explicit consent from the parent or guardian of the child. This is not always straightforward in online business, so VCDPA refers to the consent requirements set out in the Children's Online Privacy Protection Act (COPPA).

It explicitly says that you can rely on the following methods:

• A consent form to be signed and returned via postal mail, fax, or electronic scan.
• Requesting a credit card or other online payment method for verification purposes, with a nominal charge that is refunded or not charged.
• Utilizing a video conference call or similar technology to visually confirm the parent's identity.
• Accepting a government-issued identification, such as a driver's license or passport, accompanied by a signed consent form.
  

VCDPA Consent for Processing Personal Information for New or Unnecessary Purposes

You have collected consumers' personal data for a specific purpose. But now, you want to process it for another business goal. That triggers a consent requirement.

What Does New Purpose Mean?

Let's say that you have collected consumers' financial statement data to provide them with your services related to financial products. Now you want to use the same data for profiling your customers in order to serve them with targeted ads.

The advertising purpose is a new one. When you collected their data, your privacy notice stated that the financial data would be used for the provision of services and products. Now you want to use it for advertising.

For the new advertising purpose, you need to get consent.

What Does Unnecessary Purpose Mean?

Let's say that you offer consumers a flashlight app. But before using it, you ask them for their contact information and browsing history. That data is not necessary for providing a flashlight app.

However, you can ask for that information. If you get consent, you can collect it and use it. If users don't give you consent, you must not collect it at all.

The opt-out principle described above allows freely processing data for purposes in line with the collected data. For any other purpose, you need consent.

How to Obtain VCDPA Cookie Consent for New or Unnecessary Purposes?

Just ask for consent via a cookie banner before data collection. Do not use the cookies before getting unambiguous consent.

Also, ensure that the consumers are informed about your new purposes and that the consent is specific and freely given.

What Are Other Requirements Related to VCDPA Cookie Consent?

Obtaining consent is not the only consent-related requirement in the VCDPA. There are a few more that may be triggered due to consent collection. This includes storing and managing consent, data security, consumer requests to exercise consumer rights, and others.

Some of your duties will include:

1. Establishing methods and procedures for honoring consumer requests. Consumers have the right to access, right to deletion, right to opt-out of the sale of personal data, and other rights. When it comes to consent, a consumer may ask for proof that they have given consent, the categories of third parties with whom their data has been shared, the deletion of the data collected upon consent, and so on.
2. Storing and managing consent. You need means to request, collect, and manage consents. Consent management platforms are a good option to handle that.
3. Data protection assessments. Considering that consent is required for processing activities involving children's data and sensitive data, you should conduct data protection assessments to assess the risks related to that. The assessment will give you an idea of whether the processing of personal data subject to consent is truly necessary and how you can manage the risks.
   

What Are the VCDPA Penalties for Non-Compliance with the Cookie Consent Requirements?

VCDPA penalties are $2,500 per violation and $7,500 per intentional violation per incident. It means that if a business violates the rights of 100 consumers intentionally, they may face fines up to $750,000. Violating the rights of 1,000 consumers would mean a penalty of up to $7.5 million. It can add up quickly.

In addition to monetary penalties, the VCDPA also allows the Virginia Attorney General to seek injunctive relief, bringing actions in state court to enjoin any violations or threatened violations of the VCDPA.

Consumers also have a private right of action, which means that non-compliant businesses may face class-action lawsuits by consumers.

On top of that, businesses will lose consumer trust and reputation.

Best Practices for Obtaining VCDPA Cookie Consent

The best practice for obtaining VCDPA cookie consent is to use a cookie management platform (CMP). Using one offers numerous benefits for businesses of all sizes. These platforms provide a streamlined and efficient solution for managing user consent in compliance with data protection regulations. Here are some key advantages of utilizing a CMP:

1. Law Updates: Virginia's data privacy law has been updated already. Can you afford to follow legal updates all the time and react to them? One of the significant advantages of using a CMP is that it takes care of law updates. It ensures that your consent collection processes remain up to date with the latest legal requirements, saving you the time and effort of tracking and implementing these changes manually, and reducing the risk of non-compliance.
2. Bug and Software Issue Management: Software has bugs all the time. CMPs handle the technical aspects of consent management, including addressing bugs and other software issues. If you want smooth functionality and a hassle-free experience with consent management, it's better to outsource it to a CMP.
3. Easy Implementation: Secure Privacy's cookie consent management solution requires installing only a few lines of code on your website or app. It couldn't be easier. CMPs offer user-friendly interfaces and easy implementation processes. Moreover, the Secure Privacy CMP comes with built-in templates for consumer consent collection specifically for Virginia. You can choose whether you want to comply with the VCDPA, the Colorado privacy law, the California CCPA, the Utah consumer privacy law, or all of them at once. You can implement all these solutions without extensive technical expertise.
4. Affordability for Businesses of Any Size: With prices starting at $100 a year, no business can justify non-compliance with a lack of money. CMPs typically offer tiered pricing plans, allowing businesses to choose a package that aligns with their requirements and budget. This affordability ensures that small and medium-sized enterprises can access professional consent management tools without incurring significant costs, leveling the playing field and promoting compliance for all.