Skip to main content

Using Cookiebot for VCDPA compliance (Cookiebot Admin)

  • Updated
If you are already using Cookiebot CMP for GDPR and ePR compliance, follow the guide below to setup your VCDPA configuration and then see this article on how to setup coexisting configurations on your website to be displayed depending on the visitor's location.

 

Skip introduction and take me to checklist

VCDPA: An introduction

What is VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) operates based on the consumer right to opt-out of having personal data processed for the purposes of targeted advertising, profiling for decisions that could affect the consumer in a legal or similarly significant way and/or sale. It also requires companies and organizations to obtain the prior consent from end-users if they collect or process sensitive personal data, which we will take a deeper look at below.

This is similar to the EU’s General Data Protection Regulation (GDPR) that has been in effect since 2018.

From January 1, 2023, websites, companies, and organizations who conduct business in Virginia or produce products or services targeted to Virginia residents and control or process personal data of 100,000 or more consumers during a calendar year, or control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data must comply with the VCDPA’s requirements.

 

What is personal data under VCDPA?

The VCDPA defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable natural person (de-identified data or publicly available information is exempt). The VCDPA also distinguishes between “personal data” and “sensitive personal data”, the latter includes data from users under the age of 13, health and biometric data, geolocation data and data about racial or ethnic origin, religious beliefs, political convictions, and sexual orientation.

 

Who is required to comply with the VCDPA?

The VCDPA applies to companies or for-profit organizations doing business in Virginia or that produces products and services for Virginia residents. If you have a for-profit company located outside of Virginia but you have users from inside Virginia (e.g. by offering online services that Virginia residents use), you are also required to be compliant with the VCDPA.

 

How to be compliant with Virginia law?

Users must have the option to opt out of personal data being used for so-called targeted advertising.

Targeted advertising is when websites and companies use personal data to tailor marketing campaigns to the users, and is defined in the VCDPA as advertising that is “selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”

In other words, under the Virginia Consumer Data Protection Act (VCDPA), users inside Virginia must be enabled to opt out of cookies and trackers on websites that collect personal data for the purpose of targeted advertising.

This is usually done through a Consent Management Platform (CMP) that automatically detects cookies and controls them based on the consent state of users, as they navigate a consent banner (also known as a ‘cookie banner’) on the website they visit.

 

Want to know more about VCDPA?

Check out our blog post: The Virginia Consumer Data Protection Act

 

VCDPA: A Cookiebot checklist

This guide is focusing solely on providing the tools needed to make your website’s use of cookies and online tracking compliant with VCDPA. Other aspects of the VCDPA are therefore not covered or addressed in the checklist.

The checklist is not intended as legal advice - if in doubt, seek advice from a trusted legal source or your Data Protection Authority.

 

First time set up

If you are setting up Cookiebot for the first time, you can select the VCDPA preset at the very first step in the lower left portion of the screen.
This will automatically configure the banner to comply with VCDPA. You can still make some changes to suit your needs though.

Adding VCDPA as an additional legislation

When adding VCDPA as an additional legislation, you will need to create a separate domain group that is configured to comply with VCDPA.

Follow the following steps to create the additional domain group.

  • Add a new domain group.
    • If you only have a single domain group:
      • Select "Domains & Aliases" from the left-hand menu.
      • Click "Manage your domain groups".
        mceclip3.png
    • If you already have multiple domain groups:
      • Click "Manage" at the top of the domain group section of the left-hand menu
    • Click the "+ Create group" button.
      mceclip4.png
  • Name your new domain group "VCDPA" and press the "Create group" button.
  • Click the "Configure CMP" icon on the line with your new domain group.
  • Click "Legislation presets" at the right side of the screen and select the VCDPA preset.
  • Click the "Save changes" button to save your domain group settings.

Source:

https://www.cookiebot.com/en/virginia-vcdpa/

Comments

0 comments

Please sign in to leave a comment.