Jurisdiction Β· STATE Β· US-VA
πΊπΈ Virginia
VCDPA effective 2023-01-01. Enforced by VA AG with 30-day cure period. Opt-out for sale/targeted ads. No private right of action.
What a typical site must do
| Requirement | Value | Confidence | Reviewed |
|---|---|---|---|
| analytics_exempt_cookieless | yes | high | 2026-05-05 |
| banner_required | no | high | 2026-05-05 |
| breach_notification_hours | asap | high | 2026-05-05 |
| consent_mode_v2_relevant | yes | medium | 2026-05-05 |
| consent_model | opt_out | high | 2026-05-05 |
| cookie_policy_required | yes | high | 2026-05-05 |
| dpf_transfers_acceptable | yes | high | 2026-05-05 |
| dpo_required | not_required | high | 2026-05-05 |
| dsr_response_days | 45 | high | 2026-05-05 |
| enforcement_strictness | moderate | high | 2026-05-05 |
| iab_tcf_required | not_applicable | high | 2026-05-05 |
| language_required | english | high | 2026-05-05 |
| pre_consent_pings_allowed | yes | high | 2026-05-05 |
| privacy_policy_required | yes | high | 2026-05-05 |
| reject_layer1 | not_required | high | 2026-05-05 |
| ropa_required | not_required | high | 2026-05-05 |
Editorial notes
Tool compliance matrix
Default-config verdict per analytics/CMP tool against this jurisdiction.
| Vendor | Status | Rationale |
|---|---|---|
| Addingwell | green | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. |
| Adobe Analytics | green | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. US baseline more permissive. |
| Amplitude | green | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. US baseline more permissive. |
| Cookiebot | green | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent β verify your manual scripts also gate. |
| Iubenda | green | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. |
| Klaro | green | Open-source, self-hosted. No managed updates β site owner maintains vendor list. |
| OneTrust | green | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch β verify per-region defaults. US baseline more permissive. |
| Stape | green | EU server containers handle the routing β but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. |
| Usercentrics | green | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
| LinkedIn Insight Tag | yellow | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| Meta Pixel | yellow | Schrems II concerns persist; advanced matching hashes PII but does not fix EUβUS transfer problem. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| PostHog | yellow | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. |
| Server-side GTM (Google Cloud) | yellow | "EU server" β EU data β clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
| TikTok Pixel | yellow | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured. |
| Heap | red | Auto-capture grabs every click and form value β broad PII risk under GDPR Art 5(1)(c) data minimization. |