Skip to main content

Privacy-proof your website for CDPA compliance

Implement all your CDPA compliance requirements under one roof! Display an opt-out notice and provide privacy disclosures for foolproof compliance.

Become CDPA Compliant

14-day free trial Cancel anytime

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.

The Virginia Consumer Data Protection Act (CDPA) is a state-wide data privacy law that applies to businesses that process the personal information of Virginia residents. The CDPA regulates how businesses process consumers’ personal information and provides them with rights over their data. Virginia CDPA came into effect on January 1, 2023.

CDPA Compliance Checklist for Websites

  • Provide opt-out from the sale of personal data, targeted advertising and profiling
  • Include an up-to-date and accessible privacy policy and cookie policy
  • Limit data collection only for relevant data and legitimate purposes

Prepare for CDPA Compliance with CookieYes

Implement an opt-out notice

Under CDPA, when businesses sell personal data or use it for targeted advertising (including the use of third-party cookies) or profiling, they should disclose this information in a clear and conspicuous way and inform consumers how to opt-out.

With CookieYes you can

  • Scan your website for cookies against a 100,000+ cookie database
  • Display an accessible and user-friendly opt-out banner on your website
  • Geo-target opt-out banner for US visitors only

Automate consent management

To respect users’ right to opt-out under CDPA, it’s necessary to ensure that websites set third-party cookies only based on users’ consent preferences and ensure continuous compliance.

With CookieYes you can

  • Select cookie categories to block when the user opts out
  • Schedule cookie scanning for up-to-date information on cookies
  • Record consent logs for proof of consent during audits

Generate a compliant privacy policy

Under the CDPA, businesses should implement an accessible, clear, and meaningful privacy notice on their website and include information on the personal data collected, the purpose of collection, how to exercise user rights, and more.

  • Use our pre-built, legally-compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Achieve regulatory compliance with ease
with our no-code cookie consent solution

Become CDPA Compliant

14-day free trial Cancel anytime

Learn more and take the first step
towards compliance

What is CDPA?

The Consumer Data Protection Act (CDPA) is a data protection legislation from Virginia, United States. Virginia CDPA imposes obligations on companies for processing personal data and grants rights to individuals regarding their personal data.

The CDPA came was passed on March 2, 2021 and enforcement began on January 1, 2023. Virginia is the second US state after California to enact a comprehensive consumer privacy legislation officially.

Who does CDPA apply to?

The CDPA applies to for-profit businesses that conduct business in Virginia or market their goods and services to Virginia residents and either

  • Controls or processes the personal data of at least 100,000 consumers in a year or
  • Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenue from the sale of personal data.

The CDPA does not apply to certain government agencies, non-profit organizations higher education institutions, financial institutions subject to the GBLA, covered entities or business associates governed by HIPAA and HITECH.

What are consumer rights in CDPA?

Right to access

The right to confirm whether a controller is processing the consumer’s personal data and to access the personal data.

Right to opt-out

The right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling.

Right to correct

The right to request to correct, update, or complete personal data about them.

Right to delete

The right to delete personal information that a business has collected from them.

Right to data portability

The right to obtain a copy of their personal data in a portable and readily usable format and transfer it to another data controller.

What is the penalty for non-compliance?

Businesses can get civil penalties of up to $7500 for each violation including Attorney fees. Businesses will have a 30-day cure period to rectify violations before the Virginia Attorney General takes action.

Virginia’s CDPA also opens for financial recovery of legal fees and investigative costs, and violations are not limited to “intentional violations”. Unlike California’s CCPA, the law explicitly excludes a private right of action.

FAQ on CDPA Compliance

The Virginia Consumer Data Protection Act (CDPA) is a data privacy law that regulates data processing in the state of Virginia. It was signed on March 2021 and took effect on January 2023.  This makes Virginia the second US state to enact a consumer privacy law, following in the footsteps of California. The Virginia CDPA builds on frameworks of California’s CCPA and the European Union’s GDPR.

The CDPA defines personal data broadly as any information that is linked or can be reasonably linkable to an identified or identifiable natural person. Data available in the public domain and anonymised data are excluded from the definition of personal data. Personal data, therefore, can be identifiers such as name, identification number, IP addresses, biometric information or characteristics such as race, ancestry, religion, age, sex, sexual orientation, gender, medical condition etc.

The CDPA protects a “sensitive” category of personal data. This includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, and personal data collected from minors or precise geolocation data.

The Virginia Attorney General is the exclusive regulatory authority to enforce CDPA and has the power to impose a civil penalty of up to $7,500 per violation.

The Virginia CDPA has many similarities with the California Consumer Privacy Act (CCPA). Despite similarities, they have key distinctions in scope and enforcement. Some notable differences are:

  • CCPA considers revenue as one basis for its applicability, while CDPA applies if a business controls or processes at least 100,000 consumers’ personal data.
  • Unlike the CCPA, the CDPA does not have the provision for a private right of action for non-compliance. 
  • The CCPA gives users the right to opt out of businesses from the sale of their personal data. The CDPA broadens the scope to include targeted advertising and user profiling.

Here are some links you can refer to for additional reading:

Fast-track your CDPA compliance in minutes

Set up an opt-out banner in 3 simple steps and automate your compliance.

Become CDPA Compliant

14-day free trial Cancel anytime