Virginia went first among the second wave. The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, the earliest broad state privacy law enacted after California's, and it became the template that Colorado, Connecticut, and a dozen others borrowed from. One thing Virginia did not borrow-back: a universal opt-out mandate. As of 2026, Virginia still doesn't require you to honor the Global Privacy Control, which sets it apart from most of its own descendants.
Does the VCDPA reach cookies?
The VCDPA regulates personal data linked or reasonably linkable to an identified or identifiable natural person. Advertising cookies and device identifiers that build a profile are in scope; purely functional cookies usually aren't.
The triggering activities are sale of personal data and targeted advertising. Note a Virginia quirk: the VCDPA defines a sale narrowly, as an exchange for monetary consideration only. Passing data to an ad partner for something other than money may not count as a sale here, though it can still be targeted advertising, which residents can opt out of regardless.
The consent model: opt-out, no signal mandate
Virginia uses an opt-out model. You can set analytics and advertising cookies by default, as long as you give residents a clear way to opt out of sale and targeted advertising and honor it when they do.
The gap from Colorado and Texas is the universal opt-out mechanism. Virginia has never required controllers to recognize a browser signal like GPC. So a Virginian's GPC signal doesn't automatically bind you the way it does one state north in Maryland or west in Kentucky. A manual opt-out control is enough to comply in Virginia today.
That said, honoring GPC anyway is smart. Many of your visitors will be covered by states that do require it, and treating the signal as an opt-out everywhere is simpler than switching behavior by state. It costs nothing to be stricter than Virginia demands.
Sensitive data needs opt-in
Virginia does require opt-in consent before processing sensitive data. The list covers personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; precise geolocation; and personal data from a known child under 13. Any tracker that touches those needs consent first, not a default-on load.
Reproductive-health data and assessments
Two extras sit alongside the core VCDPA rules. A 2025 amendment (SB 754, effective July 1, 2025) added a broad consent requirement before a business may collect, disclose, or sell a consumer's reproductive or sexual health information. It technically amends Virginia's Consumer Protection Act rather than the VCDPA itself, but it lands on the same websites, so any tracker touching that data needs consent, not a default load. Separately, the VCDPA requires a data protection assessment before processing that carries heightened risk, including selling personal data, targeted advertising, and certain profiling. If your cookies feed targeted ads, keep that assessment documented.
Virginia's odd position in 2026
Virginia is now the outlier among the laws it inspired. Colorado, Connecticut, Oregon, Montana, and most of the newer states that used Virginia as a model have added a universal-opt-out mandate. Virginia hasn't. Bills to add one have been floated but not enacted as of mid-2026, which leaves Virginia in a small group (with Utah and Iowa) where a browser signal isn't legally binding. Read that as a floor, not a ceiling: build to honor GPC for the states that require it, and Virginia is covered for free.
Who's covered
The VCDPA applies to businesses that operate in Virginia or target its residents and either control or process the personal data of at least 100,000 consumers in a year, or control or process the data of at least 25,000 consumers while deriving over 50 percent of gross revenue from selling personal data. There's no minimum-revenue gate, so a high-traffic site can be covered even on modest income.
Penalties and the permanent cure period
The Virginia Attorney General has sole enforcement authority. Before acting, the AG must give written notice and a 30-day cure period, and in Virginia that right to cure is permanent, it never sunset the way Colorado's and Connecticut's did. If you fail to fix the violation in 30 days, penalties reach up to $7,500 per violation, plus recovery of expenses. The permanent cure window makes Virginia comparatively forgiving, but don't treat it as a license to ignore the law until you get a letter.
A practical setup for Virginia traffic
- Publish an opt-out for sale and targeted advertising, reachable site-wide.
- Gate sensitive data behind opt-in, precise geolocation included.
- Honor GPC anyway. Virginia doesn't require it, but honoring it covers the many states that do and simplifies your logic.
- Keep a clear privacy notice describing your processing and the categories of third parties you share with.
- Log consent and opt-outs so you can show the mechanism works if the AG asks.
How CookieBeam handles Virginia
CookieBeam's US opt-out states preset was written for laws in the Virginia and Colorado line, so a Virginia visitor sees an opt-out banner with a "Your Opt-Out Rights" control. GPC honoring is default-on in the runtime; Virginia doesn't demand it, but leaving it on means you're already compliant for the states that do, with no per-state switch. Sensitive categories can be set to require opt-in, which is what Virginia's sensitive-data rule needs. The regional consent engine serves opt-out to Virginia and opt-in to the EU from one banner. Verify the current VCDPA text before finalizing.
Related guides
Read universal opt-out mechanisms across US state laws to see which states do and don't require GPC, plus sensitive data consent under US state laws and the complete guide to US state privacy laws. Primary source: the Code of Virginia, Chapter 53 (VCDPA).