Virginia VCDPA and analytics
Virginia's Consumer Data Protection Act (VCDPA) was an early comprehensive US state privacy law and a template many others followed. It uses controller and processor roles, grants access/deletion/correction/portability rights, and requires opt-outs for targeted advertising, sale, and certain profiling. This page explains, educationally, how it intersects with analytics.
Structure and rights
The VCDPA applies to controllers meeting volume thresholds for processing Virginia residents' data. It assigns GDPR-style controller and processor roles, requires data-processing agreements, and grants consumers rights to access, delete, correct, and port their data, plus a right to opt out of targeted advertising, the sale of personal data, and certain profiling with legal or similarly significant effects.
- Controller/processor roles and processing agreements
- Access, deletion, correction, portability rights
- Opt-out of targeted advertising, sale, and profiling
Where analytics intersects
Analytics used purely for a controller's own first-party insight is generally lower-risk, but where an analytics or ad tag enables targeted advertising — by disclosing identifiers to a third party that serves cross-context ads — VCDPA's opt-out attaches. The law's controller/processor framing also means your analytics vendor's role (processor versus an independent controller) matters for the contractual safeguards you need.
How it appears in analytics and logs
Tags disclosing data for targeted advertising bring VCDPA opt-out duties into play; first-party measurement for your own purposes generally sits outside those opt-outs.
Diagnostic use case
Check whether your analytics and ad tags trigger VCDPA's targeted-advertising or sale opt-outs for Virginia residents above the law's thresholds.
What WebmasterID can help detect
WebmasterID's first-party model with no targeted advertising avoids the disclosures VCDPA's opt-out is built around.
Common mistakes
- Assuming first-party analytics automatically needs a VCDPA opt-out.
- Ignoring the controller-versus-processor role of your vendor.
- Overlooking the targeted-advertising definition.
Privacy and accuracy notes
This page is educational and not legal advice. VCDPA applicability thresholds and exemptions are specific; consult the statute and counsel for your situation.
Related pages
- US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
- Controller vs processor
The GDPR assigns different duties to a controller — who determines the purposes and means of processing — and a processor, who processes personal data on the controller's behalf. Whether your analytics vendor is a processor or a joint controller changes the contracts and liabilities involved. This page explains the distinction and how it applies to analytics.
- Colorado Privacy Act and opt-out signals
The Colorado Privacy Act (CPA) is a comprehensive US state law granting access, deletion, correction, and portability rights and opt-outs for targeted advertising, sale, and profiling. It is notable for requiring controllers to honour a universal opt-out mechanism. This page explains, educationally, how that affects analytics and ad tags.
- Privacy-first analytics
First-party measurement without targeted advertising.
Sources and verification notes
- Virginia Law — Consumer Data Protection Act (Code of Virginia 59.1-575 et seq.)Official statutory text of the VCDPA.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.