Virginia VCDPA vs California CPRA

Virginia's Consumer Data Protection Act (VCDPA) and California's Consumer Privacy Rights Act (CPRA) are among the most powerful privacy laws in the United States.

Both laws provide extensive definitions of "personal information," grant consumers rights over their personal information, and require covered businesses to provide transparent notice about their practices.

But although there are many similarities between these two laws, there are some important differences, too. This article will help you understand whether you're covered by either law, and to determine what you need to do to comply.

There are a few things that it's important to note before we begin our comparison of the VCDPA and the CPRA:

• California's CPRA amends the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2021.
• Both Virginia's VCDPA and California's CPRA are effective from January 1, 2023, and will start being enforced from July 1, 2023.
• Both laws seek to protect the personal information of "consumers" (meaning residents of California and Virginia, respectively).
• Neither law is totally finished yet. Regulations governing the interpretation and application of each law will be published over the coming months and years.

Now let's take a look at the differences between Virginia's VCDPA and California's CPRA in some of the key areas.

Who's Covered By Each Law?

In brief:

• Virginia's VCDPA calls its covered entities "controllers," whereas California's CPRA refers to "businesses."
• Both laws apply extraterritorially. Companies all over the world must comply with each law if they hope to do business in each state.
• Virginia's CPDA doesn't have a minimum revenue threshold. It may apply to small businesses that collect a lot of data, or it may not apply to large businesses that collect little data.

"Controllers" Under Virginia's VCDPA

Virginia's VCDPA applies to anyone who:

• Conducts business in Virginia, OR
• Produces products or services that are targeted at Virginia residents

• AND:

  • Controls or processes the personal data of at least 100,000 consumers, OR
  • Controls or processes the personal data of at least 25,000 consumers AND derives over 50% of gross revenue from selling personal data.

"Businesses" Under California's CPRA

California's CPRA applies to any legal entity that meets all of these characteristics:

• Operates for profit
• Does business in California
• Collects California consumers' personal information
• Determines the purposes and means of the processing of consumers' personal information

... plus one or more of these characteristics:

• Has gross annual revenues of $25 million or more
• Annually buys, sells, or shares the personal information of 100,000 or more consumers or households
• Derives over 50% of gross its revenue from selling or sharing consumers' personal information

How Does Each Law Define "Personal Information"..?

In brief:

• Both laws have a broad definition of personal information.
• Virginia's VCDPA uses the term "personal data," whereas California's CCPA refers to "personal information."
• The VCDPA lists 11 categories of personal information alongside its definition, whereas Virginia's VCDPA does not provide any examples.

"Personal data" under Virginia's VCDPA

Viriginia's VCDPA defines "personal data" as any information that is linked or reasonably associated with an identified or identifiable natural person.

The definition excludes de-identified data and publicly available information.

"Personal information" under California's CPRA

California's CPRA defines "personal data" as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

This definition excludes:

• Publicly available information
• Lawfully obtained, truthful information that is a matter of public concern
• Consumer information that is de-identified
• Aggregate consumer information

How Does Each Law Define and Treat "Sensitive Personal Information"..?

In brief:

• Virginia's VCDPA requires controllers to seek opt-in consent from consumers before processing their sensitive personal data.
• California's CPRA requires controllers to limit the use or disclosure of consumers' sensitive personal information on request (an opt-out).
• Virginia's VCDPA includes childrens' personal data among its types of personal data. California's CPRA does not, but the law nonetheless requires businesses to obtain opt-in consent before selling childrens' personal information.

"Sensitive personal data" under Virginia's VCDPA

"Sensitive personal data" under Virginia's VCDPA includes:

• Personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
• Genetic or biometric data, if processed for the purpose of uniquely identifying a natural person
• Children's personal data
• Precise geolocation data

You must not process (collect, store, share, or otherwise use in any way) sensitive personal information without a consumer's consent.

"Consent" means:

"...a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement..."

This is a strong standard of opt-in consent, much like the GDPR's definition.

You must conduct a data protection assessment before processing a consumer's sensitive personal information. This means identifying and weighing the benefits of processing the data against the risks, taking any potential mitigation and safeguards into account.

"Sensitive personal information" under California's CPRA

"Sensitive personal information" under California's CPRA includes:

• A consumer's:

  • Social security number
  • Driver's license number
  • State ID card number
  • Passport number

• A consumer's:

  • Account log-in
  • Financial account
  • Debit card, or credit card number in combination with any required credentials allowing access to an account
• Precise geolocation data

• A consumer's:

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
• The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication
• Genetic data
• Biometric information, if processed for the purpose of uniquely identifying a consumer

• Personal information collected and analyzed concerning a consumer's:

  • Health
  • Sex life
  • Sexual orientation

A consumer may restrict a business' use of their sensitive personal information, in which case the business may only use that consumer's sensitive personal information for the following business purposes:

• To provide goods or services requested by the consumer
• To ensure security and integrity
• For certain short-term, transient uses
• To perform certain services on behalf of the business
• Verifying, maintaining, improving, upgrading, or enhancing the business' services or devices

What Consumer Rights Does Each Law Provide?

In brief:

• California's CPRA extends the rights that previously existed under the state's CCPA.
• Virginia's VCDPA offers some opt-outs, and also requires opt-in consent for the processing of sensitive personal data.
• The laws vary according to how long businesses have to respond to consumer rights requests.

Consumer Rights Under Virginia's VCDPA

A Virginian consumer has the right to:

• Confirm whether or not a controller is processing their personal data
• Access their personal data
• Correct inaccurate personal data
• Delete their personal data
• Obtain a portable copy of their personal data

• Opt out of the processing of their personal data for the purposes of:

  • Targeted advertising
  • Sale
  • Profiling for purposes that produce legal or similarly significant effects
• Opt in to the processing of sensitive personal data

Businesses must respond within 45 days, with one possible 45-day extension. Consumer rights requests are free on the first two occasions per year.

Consumers may appeal the refusal of a request. The controller must respond within 60 days.

Consumer Rights Under California's CPRA

A Californian consumer has the right to:

• Know what types of personal information a business has collected, sold, or shared about them, including:

  • The categories of sources of the information
  • The purposes of the collection or disclosure
  • The categories of any third-party recipients of the information
• Access their personal data
• Correct inaccurate personal data
• Delete their personal data
• Opt out of the sale of sharing of their personal information
• Limit the use and disclosure of sensitive personal information

Businesses must respond within 30 days, with one possible 30-day extension. Consumer rights requests are free on the first two occasions per year.

What are the Privacy Policy Requirements of Each Law?

In brief:

• Both laws require businesses to disclose the types of personal information they collect, use, and share.
• Both laws require businesses to inform consumers about their rights and how to exercise them.
• California's CPRA requires businesses to update their Privacy Policies every 12 months. Virginia's VCDPA contains no such requirement.

Virginia VCDPA Privacy Policy Requirements

Under Virginia's VCDPA, controllers must provide a "reasonably accessible, clear, and meaningful" Privacy Policy that includes the following information:

1. The categories of personal data the controller processes
2. The purposes for processing personal data
3. Details of how consumers can exercise their CDPA consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request
4. A list of any categories of personal data the controller shares with third parties
5. The categories of any third parties with whom the controller shares personal data
6. Details of any third parties to whom the controller sells personal data, plus instructions on how to opt out
7. A description of "one or more secure and reliable means for consumers to submit a request to exercise their consumer rights"

California CPRA Privacy Policy Requirements

The CPRA's Privacy Policy requirements supplement those of the CCPA. So for the purposes of this article, we're assuming you already have a CCPA-compliant Privacy Policy and want to update it to comply with the CPRA.

We won't go into detail about the CCPA's Privacy Policy requirements, but you can read our CCPA Privacy Policy Checklist for guidance.

As for the CPRA, its Privacy Policy requirements vary depending on your business activities.

Every businesses must provide information about the "right to correct" in its Privacy Policy, including:

• An explanation of a consumer's right to correct
• Instructions on how to make a verifiable consumer request under the right to correct
• A general description of how you will verify a consumer's identity

If a business shares personal information, its Privacy Policy must provide information about the "right to opt out," including:

• An explanation of the consumer's right to opt out of the sharing of their personal information and sensitive personal information
• Details about your "Do Not Sell or Share My Personal Information" page

If a business collects or uses sensitive personal information, its Privacy Policy must provide details on the "right to limit the disclosure or use of sensitive personal information," including:

• An explanation of this consumer right
• Instructions on how to make a verifiable consumer request
• A general description of how you will verify a consumer's identity

How is Each Law Enforced?

In brief:

• Virginia's VCDPA is enforced by the Virginia Attorney-General. California's CPRA is enforced by the California Consumer Privacy Agency (CPPA), the California Attorney-General, and private legal claims.
• Violation of either law can attract a fine of up to $7,500 per violation.
• Virginia's VCDPA does not include a private right of action.

Enforcement of Virginia's VCDPA

The Virginia Attorney-General has sole responsibility for enforcing Virginia's VCDPA.

The Attorney-General may issue a civil investigative demand against a business it believes is violating this VCDPA.

The Attorney-General may impose a civil penalty of up to $7,500 for each VCDPA violation, and recover reasonable costs for its investigation.

Enforcement of California's CPRA

The CPRA establishes a dedicated privacy office, the California Privacy Protection Agency (CPPA), which will enforce the CCPA/CPRA. The California Attorney-General also retains authority to issue fines under the law.

The CPPA and the California Attorney-General can impose administrative fines of:

• Up to $2,500 for each unintentional violation, or
• Up to $7,500 for each intentional violation, or for any violations involving the personal information of children under the age of 16

The CPPA has discretion to allow a business to "cure" its violation before pursuing a fine (this removes the blanket "notice and cure" provision from the CCPA).

A business may be liable for costs of the investigation, but only to either the CPPA or the California Attorney-General.

The CPRA expands on the CCPA's limited private right of action. We won't go into detail regarding the CCPA's private right of action, but we have an article on this topic if you want to know more.

Briefly, the CCPA's private right of action allows consumers to take a business to court if it suffers a breach of certain types of personal information.

The CPRA expands this right by adding an extra type of personal information to the list: an "email address in combination with a password or security question and answer that would permit access to the account."

How Does Each Law Treat Service Providers?

In brief:

• Both laws have a concept of a "service provider" or "processor" that acts on behalf of the business or controller.
• Both laws require businesses to have a contract in place with service providers or processors they use.
• The business remains liable for most violations unless the service provider or processor acts outside of its contract.

Data Processors Under Virginia's VCDPA

Virginia's VCDPA defines a "processor" as "a natural or legal entity that processes personal data on behalf of a controller." The VCDPA sets rules regarding the relationship between controllers and processors.

The relationship between a controller and a processor must be governed by a binding contract that sets out:

• Clear instructions for processing data
• The nature and purpose of processing
• The type of data subject to processing
• The duration of processing
• The rights and obligations of both parties

The contract must also include clauses ensuring that:

• The processor ensure that anyone processing the personal data is covered by a duty of confidentiality
• The processor deletes or returns all personal data at the controller's discretion
• The processor makes all personal data available to the controller and demonstrates its VCDPA compliance on request
• The processor complies with audits by the controller or an approved third party

Service Providers Under California's CPRA

The CPRA defines a "service provider" as "a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract."

The CPRA distinguishes this from a "contractor" which is defined as "a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract...."

The relationship between a business and its service provider or contractor must be governed by a contract that prohibits the service provider or contractor from:

• Selling or sharing the personal information
• Retaining, using, or disclosing the personal information for any purpose outside of the contract
• Retaining, using, or disclosing the information outside of the direct business relationship between the two parties
• Combining the personal information with any other personal information from another source, except where permitted by the CPRA

For more information, see our article The Complete Guide to CCPA Service Providers.

Your Next Compliance Steps

Virginia's VCDPA and California's CCPA as amended by the CPRA are among the toughest privacy laws in the United States. We can expect many similar laws to emerge across the country over the next few years.

There are many key similarities between these two laws. Here are some steps you can take before 2023 to prepare for compliance with both laws:

• Check whether you meet the threshold for complying with either law.
• Map the personal information and sensitive personal information your business controls.
• Set up processes for dealing with consumer rights requests.
• Update your Privacy Policy.
• Ensure you have contracts in place with any service providers/processors.