Virginia – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Virginia consumers. VCDPA applies to controllers meeting volume-based threshold tests (≥100K residents OR ≥25K + 50% revenue from sale). Sectoral overlays (HIPAA, GLBA, FERPA, COPPA) are addressed only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

VCDPA

Virginia Consumer Data Protection Act

Comprehensive consumer privacy law modeled in part on GDPR (controller/processor terminology, DPIA-equivalent 'data protection assessments') but operating on a US opt-out baseline (no consent for routine collection; opt-out of sale, targeted advertising, and profiling with legal/significant effects). Notable departures from California: no private right of action, no Universal Opt-Out Mechanism mandate at launch (recognized 2025), broad employee + B2B exemptions retained, permanent 30-day cure period (no sunset).

§ 59.1-577 Consumer rights — access, correction, deletion, portability, opt-out of sale / targeted advertising / certain profiling
§ 59.1-578 Controller responsibilities — privacy notice, data minimization, purpose limitation, sensitive-data opt-IN, non-discrimination
§ 59.1-579 Processor obligations — written contract with prescribed terms (assistance, security, sub-processor flow-down, deletion/return at end)
§ 59.1-580 Data protection assessments — required for targeted advertising, sale, sensitive-data processing, profiling with reasonably foreseeable risk, and other heightened-risk processing
§ 59.1-584 Enforcement — Attorney General exclusive; 30-day cure period (permanent, no sunset); civil penalties up to $7,500 per violation; no private right of action

Va. Code § 59.1-575 et seq. — enacted SB 1392 (signed 2 Mar 2021 by Gov. Northam), effective 1 Jan 2023. First US state comprehensive privacy law to take effect after California.

VCDPA Children Amendment

Virginia Consumer Data Protection Act — Children's Online Protections (SB 361 / HB 707)

Strengthens protections for minors under 18. Prohibits controllers from processing personal data of a known child (under 13) for targeted advertising, sale, or certain profiling without verifiable parental consent (parallels federal COPPA). For minors aged 13-17, prohibits targeted advertising, sale, and profiling with foreseeable risk of harm without affirmative opt-in. Aligns Virginia with the Connecticut/Maryland minors-protection wave.

§ 59.1-578(A)(5) Known-child processing — VPC required for under-13 (incorporates COPPA standard)
§ 59.1-578(A)(6) Teen opt-in — under-18 cannot be subject to targeted advertising, sale, or risky profiling without affirmative consent

2024 Va. Acts ch. 791 / 792, amending Va. Code § 59.1-578. Effective 1 Jan 2025.

VCDPA UOOM Recognition

Universal Opt-Out Mechanism — administrative recognition under VCDPA

Unlike CCPA/CPRA where GPC honoring is mandated by regulation (11 CCR § 7025), VCDPA's statute did not originally require recognition of any browser-level opt-out signal. Virginia OAG 2025 guidance now treats GPC as a valid expression of opt-out for sale and targeted advertising. Functionally aligns Virginia with Colorado, Connecticut, and California on UOOM. Not a statutory change — recognized via enforcement priority.

§ 59.1-577(C) Opt-out method — controllers must provide a clear and conspicuous mechanism; OAG guidance interprets GPC as one valid mechanism

Virginia OAG guidance (2025) recognizing Global Privacy Control (GPC) as a valid opt-out signal under § 59.1-577(C).

Regulators

Supervisory authorities that interpret and enforce privacy law here.

State / Land DPAs · 1 authorities

Land / state	Authority	Note
Virginia — OAG	Virginia Office of the Attorney General	SOLE VCDPA enforcer (§ 59.1-584). No private right of action; no dedicated state privacy agency analogous to California's CPPA. Consumer Protection Section receives complaints via OAG website. Civil penalties up to $7,500 per violation pursued in Circuit Court. Permanent 30-day cure period applies before any enforcement action.	site ↗

Coordination body

Virginia OAG enforcement model · Single-regulator AG-exclusive enforcement

VCDPA designates the Virginia Attorney General as the exclusive enforcer. There is no private right of action and no separate state privacy agency. The OAG must issue a notice of violation and allow a 30-day cure period before commencing any action — this differs structurally from CCPA, where the original 30-day cure was sunsetted by CPRA effective 1 Jan 2023.

2023-01-01 · VCDPA effective date — Virginia OAG Consumer Protection Section assumes VCDPA enforcement responsibility. Early posture: education-first, with cure period offered before any penalty action.
2024-12 · Children's amendment guidance — OAG signals heightened scrutiny of ad-tech and gaming targeting under-18 users following effective date of SB 361 / HB 707 (1 Jan 2025).
2025 · UOOM / GPC recognition — Virginia OAG administratively recognizes Global Privacy Control browser signal as a valid opt-out under § 59.1-577(C). Aligns Virginia with Colorado, Connecticut, California on UOOM honoring.

https://www.oag.state.va.us/consumer-protection/

Notable enforcement

Virginia's enforcement velocity is intentionally lower than California's by structural design. Three architectural choices drive this: (1) AG-only enforcement with no parallel agency means resources are bounded by OAG Consumer Protection Section staffing — no equivalent to CPPA's dedicated 5-member board with rulemaking and audit powers. (2) The permanent 30-day cure period (not sunset like CCPA's) creates a soft-landing pathway — most matters resolve through cure rather than penalty. (3) No private right of action eliminates the plaintiffs' bar as an enforcement multiplier. Through 2025, public enforcement actions remain thin; the OAG has emphasized education and complaint-driven investigation. Practical analytics consequence: a controller already CCPA-compliant (Do-Not-Sell-or-Share link, GPC honoring, conforming processor contracts, opt-in for sensitive data) is substantially VCDPA-compliant by extension. Civil penalties cap at $7,500 per violation. Multi-state coordinated investigations (alongside California, Colorado, Connecticut OAGs) are emerging in 2025 on connected-vehicle data and cross-state ad-tech — Virginia tends to participate as a coalition member rather than first-mover.

GA4 status

GA4 is legal in Virginia with light-touch safeguards. VCDPA uses an opt-OUT baseline (no consent required for routine analytics), employee + B2B contexts are entirely exempt, and there is no Do-Not-Sell-or-Share link mandate equivalent to CCPA § 1798.135. Practical requirements are limited to: (1) privacy notice listing categories of personal data and purposes, (2) opt-out mechanism for sale/targeted advertising (a privacy-preferences page link suffices; GPC honoring now expected after 2025 OAG guidance), (3) processor contract with Google meeting § 59.1-579 prescribed terms, (4) opt-IN for sensitive-data processing (precise geolocation, health, biometric, etc.), and (5) under-13 verifiable parental consent + under-18 affirmative opt-in for targeted advertising effective 1 Jan 2025. Substantially less burdensome than California; controllers already CCPA-compliant generally exceed VCDPA requirements by default.

DPA	Stance
Virginia OAG	Permissive on routine analytics. No consent required, no Do-Not-Sell-or-Share link mandate. Cure-period model means most analytics-related complaints resolve through remediation rather than penalty. Honor GPC after 2025 guidance; gate sensitive-data processing behind opt-in; respect children/teen rules from 1 Jan 2025.

Cross-border transfers + Schrems II

Domestic US — no Schrems II issue. Cross-border transfer mechanisms (DPF, SCCs) are not relevant when both controller and Virginia consumer are in the US. Note: VCDPA applies to non-US businesses processing Virginia-resident data above the threshold tests, but Virginia does not impose adequacy or transfer-mechanism requirements analogous to GDPR Chapter V.

Not applicable. VCDPA § 59.1-579 requires a written contract between controller and processor with prescribed terms (instructions, confidentiality, security, sub-processor flow-down, deletion/return at termination, audit assistance). Failure to execute conforming processor contracts is itself a violation — controllers cannot rely on informal arrangements with vendors handling Virginia consumer data.

Topic: International transfers

Employee data

Employee + B2B data — fully exempt under VCDPA

Virginia made a deliberate policy choice to exclude employment and B2B contexts from VCDPA scope. § 59.1-576 defines 'consumer' as 'a natural person who is a resident of the Commonwealth acting only in an individual or household context' — explicitly excluding individuals 'acting in a commercial or employment context.' This is the single biggest structural difference vs. CCPA/CPRA, which sunsetted both exemptions effective 1 Jan 2023. Practical consequence for analytics: deploying Hotjar/FullStory/Clarity on internal employee dashboards, productivity-tracking pixels on staff portals, or session-recording on B2B-customer admin panels does NOT trigger VCDPA obligations as long as the data subjects are acting in their employment/commercial capacity. Federal law (NLRA, ADA, ECPA wiretap) and Virginia common-law privacy torts may still apply, but VCDPA does not.

Key thresholds

Child consent age

13 years

Article 27 representative

Not required

Marketing consent

Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 2 green · 1 yellow · 1 red

Vendor	Status	Rationale
	GREEN	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. US baseline more permissive.
	GREEN	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. US baseline more permissive.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. US baseline more permissive.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 3 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

Virginia vs California

Common questions

Is Google Analytics legal in Virginia in 2026?

Yes, with light safeguards. Virginia uses an opt-OUT baseline (unlike GDPR opt-in and even lighter than CCPA), so GA4 may be deployed without pre-collection consent. Practical floor: (1) privacy notice listing data categories and purposes, (2) opt-out mechanism for sale/targeted advertising (a privacy-preferences page suffices — no homepage 'Do Not Sell' link mandate as in California), (3) processor contract with Google meeting § 59.1-579 prescribed terms, (4) opt-IN for sensitive data (precise geolocation, health, biometric), (5) honor Global Privacy Control after 2025 OAG guidance. Controllers already CCPA-compliant generally exceed VCDPA requirements automatically.

How is VCDPA different from California's CCPA/CPRA?

Five major structural differences. (1) No private right of action — only the Virginia AG can enforce; no plaintiffs' bar pressure. (2) Permanent 30-day cure period (CCPA's was sunsetted by CPRA effective 1 Jan 2023). (3) Broad employee + B2B exemption — § 59.1-576 excludes individuals 'acting in a commercial or employment context'; CPRA fully ended this exemption 1 Jan 2023. (4) No mandatory homepage 'Do Not Sell or Share' link — opt-out mechanism can live on a privacy-preferences page. (5) Sensitive-data baseline is opt-IN (vs. CCPA's opt-out 'right to limit'). Net effect: VCDPA is materially lighter for controllers.

Do I meet the VCDPA thresholds?

VCDPA applies to controllers doing business in Virginia (or producing products/services targeted at Virginia residents) that during a calendar year either: (a) control or process personal data of at least 100,000 Virginia consumers, OR (b) control or process personal data of at least 25,000 Virginia consumers AND derive over 50% of gross revenue from the sale of personal data. There is no revenue-only threshold (unlike CCPA's $26.625M test). 'Consumer' excludes employment and commercial contexts.

Is a 'Do Not Sell My Personal Information' link required in Virginia?

No homepage link mandate. VCDPA § 59.1-577(C) requires controllers to provide 'a clear and conspicuous link' to an opt-out mechanism, but this is satisfied by a privacy-preferences page accessible from the privacy notice — not a separate homepage link as required by CCPA § 1798.135. Many controllers serving multiple states deploy a single 'Your Privacy Choices' link to satisfy both California and Virginia simultaneously, which exceeds Virginia's floor.

Who enforces VCDPA?

The Virginia Attorney General — exclusively. § 59.1-584 designates the AG as sole enforcer; there is no private right of action and no separate state privacy agency analogous to California's CPPA. Consumer complaints flow through the OAG Consumer Protection Section. The AG must issue a notice of violation and allow 30 days for cure before any enforcement action — a permanent feature with no sunset clause. Civil penalties cap at $7,500 per violation, pursued in Circuit Court.

What is the 30-day cure period and why does it matter?

VCDPA § 59.1-584(B) requires the AG to give controllers written notice of any violation and allow 30 days to cure before any enforcement action. Unlike CCPA's original cure period (sunsetted by CPRA 1 Jan 2023), Virginia's cure period has no sunset — it is a permanent feature of the regime. Practical consequence: most VCDPA matters resolve through remediation rather than penalty. Controllers should treat any OAG cure letter as a serious operational deadline, not a warning to ignore.

Does VCDPA apply to my employees and B2B contacts?

No. § 59.1-576 defines 'consumer' as a Virginia resident 'acting only in an individual or household context' and explicitly excludes those 'acting in a commercial or employment context.' This is the single biggest structural difference vs. California. Employee productivity monitoring, B2B-portal session replay, contractor-tracking analytics, and HR-system pixels are entirely outside VCDPA scope. Federal law (NLRA, ADA, ECPA wiretap) and Virginia common-law privacy torts may still apply, but VCDPA does not.

What counts as 'sensitive data' under VCDPA, and what does opt-in mean here?

Sensitive data per § 59.1-575 includes: racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, citizenship/immigration status, genetic or biometric data processed to identify an individual, personal data of a known child, and precise geolocation data. § 59.1-578(A)(5) requires affirmative opt-IN consent (not opt-out) before processing sensitive data. This is stricter than CCPA's opt-out 'right to limit use' and aligns conceptually with GDPR Art 9 — though the categories don't fully match GDPR's special-category list.

Are children's data rules different in 2026?

Yes, after the 2024 amendment effective 1 Jan 2025. Under-13: verifiable parental consent required (parallels federal COPPA standard). Ages 13-17: prohibition on targeted advertising, sale, and profiling with foreseeable risk of harm absent affirmative minor opt-in. § 59.1-578(A)(5)-(6) (as amended by 2024 SB 361 / HB 707). VCDPA's children/teen rules now broadly track the Connecticut/Maryland minors-protection model.

Must I honor the Global Privacy Control (GPC) signal in Virginia?

Yes, after 2025 OAG guidance. The original VCDPA statute did not mandate recognition of any browser-level opt-out signal. However, in 2025, Virginia OAG administratively recognized GPC as a valid expression of opt-out under § 59.1-577(C)'s opt-out-mechanism requirement. This is enforcement guidance, not a regulation — but ignoring GPC despite the recognition is now an enforcement risk. Functionally, Virginia is now aligned with California, Colorado, and Connecticut on Universal Opt-Out Mechanism honoring.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Virginia's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.