Virginia's Consumer Data Protection Act (CDPA) and California's Consumer Privacy Rights Act (CPRA) are among the most powerful privacy laws in the United States.
Both laws provide extensive definitions of "personal information," grant consumers rights over their personal information, and require covered businesses to provide transparent notice about their practices.
But although there are many similarities between these two laws, there are some important differences, too. This article will help you understand whether you're covered by either law, and to determine what you need to do to comply.
There are a few things that it's important to note before we begin our comparison of the CDPA and the CCPA:
- California's CPRA amends the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2021.
- Both Virginia's CDPA and California's CPRA are effective from January 1, 2023, and will start being enforced from July 1, 2023.
- Both laws seek to protect the personal information of "consumers" (meaning residents of California and Virginia, respectively).
- Neither law is totally finished yet. Regulations governing the interpretation and application of each law will be published over the coming months and years.
Now let's take a look at the differences between Virginia's CDPA and California's CPRA in some of the key areas.
Who's Covered By Each Law?
- Virginia's CDPA calls its covered entities "controllers," whereas California's CPRA refers to "businesses."
- Both laws apply extraterritorially. Companies all over the world must comply with each law if they hope to do business in each state.
- Virginia's CPDA doesn't have a minimum revenue threshold. It may apply to small businesses that collect a lot of data, or it may not apply to large businesses that collect little data.
"Controllers" Under Virginia's CDPA
Virginia's CDPA applies to anyone who:
- Conducts business in Virginia, OR
- Produces products or services that are targeted at Virginia residents
- Controls or processes the personal data of at least 100,000 consumers, OR
- Controls or processes the personal data of at least 25,000 consumers AND derives over 50% of gross revenue from selling personal data.
"Businesses" Under California's CPRA
California's CPRA applies to any legal entity that meets all of these characteristics:
- Operates for profit
- Does business in California
- Collects California consumers' personal information
- Determines the purposes and means of the processing of consumers' personal information
... plus one or more of these characteristics:
- Has gross annual revenues of $25 million or more
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households
- Derives over 50% of gross its revenue from selling or sharing consumers' personal information
How Does Each Law Define "Personal Information"..?
- Both laws have a broad definition of personal information.
- Virginia's CPDA uses the term "personal data," whereas California's CCPA refers to "personal information."
- The CPRA lists 11 categories of personal information alongside its definition, whereas Virginia's CDPA does not provide any examples.
"Personal data" under Virginia's CDPA
Viriginia's CDPA defines "personal data" as any information that is linked or reasonably associated with an identified or identifiable natural person.
The definition excludes de-identified data and publicly available information.
"Personal information" under California's CPRA
California's CCPA defines "personal data" as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This definition excludes:
- Publicly available information
- Lawfully obtained, truthful information that is a matter of public concern
- Consumer information that is de-identified
- Aggregate consumer information
How Does Each Law Define and Treat "Sensitive Personal Information"..?
- Virginia's CDPA requires controllers to seek opt-in consent from consumers before processing their sensitive personal data.
- California's CPRA requires controllers to limit the use or disclosure of consumers' sensitive personal information on request (an opt-out).
- Virginia's CDPA includes childrens' personal data among its types of personal data. California's CPRA does not, but the law nonetheless requires businesses to obtain opt-in consent before selling childrens' personal information.
"Sensitive personal data" under Virginia's CDPA
"Sensitive personal data" under Virginia's CDPA includes:
Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data, if processed for the purpose of uniquely identifying a natural person
- Children's personal data
- Precise geolocation data
You must not process (collect, store, share, or otherwise use in any way) sensitive personal information without a consumer's consent.
"...a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement..."
This is a strong standard of opt-in consent, much like the GDPR's definition.
You must conduct a data protection assessment before processing a consumer's sensitive personal information. This means identifying and weighing the benefits of processing the data against the risks, taking any potential mitigation and safeguards into account.
"Sensitive personal information" under California's CPRA
"Sensitive personal information" under California's CPRA includes:
A consumer may restrict a business' use of their sensitive personal information, in which case the business may only use that consumer's sensitive personal information for the following business purposes:
- To provide goods or services requested by the consumer
- To ensure security and integrity
- For certain short-term, transient uses
- To perform certain services on behalf of the business
- Verifying, maintaining, improving, upgrading, or enhancing the business' services or devices
What Consumer Rights Does Each Law Provide?
- California's CPRA extends the rights that previously existed under the state's CCPA.
- Virginia's CDPA offers some opt-outs, and also requires opt-in consent for the processing of sensitive personal data.
- The laws vary according to how long businesses have to respond to consumer rights requests.
Consumer Rights Under Virginia's CDPA
A Virginian consumer has the right to:
Businesses must respond within 45 days, with one possible 45-day extension. Consumer rights requests are free on the first two occasions per year.
Consumers may appeal the refusal of a request. The controller must respond within 60 days.
Consumer Rights Under California's CPRA
A Californian consumer has the right to:
Know what types of personal information a business has collected, sold, or shared about them, including:
- The categories of sources of the information
- The purposes of the collection or disclosure
- The categories of any third-party recipients of the information
- Access their personal data
- Correct inaccurate personal data
- Delete their personal data
- Opt out of the sale of sharing of their personal information
- Limit the use and disclosure of sensitive personal information
Businesses must respond within 30 days, with one possible 30-day extension. Consumer rights requests are free on the first two occasions per year.
- Both laws require businesses to disclose the types of personal information they collect, use, and share.
- Both laws require businesses to inform consumers about their rights and how to exercise them.
- California's CPRA requires businesses to update their Privacy Policies every 12 months. Virginia's CDPA contains no such requirement.
- The categories of personal data the controller processes
- The purposes for processing personal data
- Details of how consumers can exercise their CDPA consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request
- A list of any categories of personal data the controller shares with third parties
- The categories of any third parties with whom the controller shares personal data
- Details of any third parties to whom the controller sells personal data, plus instructions on how to opt out
- A description of "one or more secure and reliable means for consumers to submit a request to exercise their consumer rights"
- An explanation of a consumer's right to correct
- Instructions on how to make a verifiable consumer request under the right to correct
- A general description of how you will verify a consumer's identity
- An explanation of this consumer right
- Instructions on how to make a verifiable consumer request
- A general description of how you will verify a consumer's identity
How is Each Law Enforced?
- Virginia's CDPA is enforced by the Virginia Attorney-General. California's CDPA is enforced by the California Consumer Privacy Agency (CPPA), the California Attorney-General, and private legal claims.
- Violation of either law can attract a fine of up to $7,500 per violation.
- Virginia's CDPA does not include a private right of action.
Enforcement of Virginia's CDPA
The Virginia Attorney-General has sole responsibility for enforcing Virginia's CDPA.
The Attorney-General may issue a civil investigative demand against a business it believes is violating this CDPA.
The Attorney-General may impose a civil penalty of up to $7,500 for each CDPA violation, and recover reasonable costs for its investigation.
Enforcement of California's CPRA
The CPRA establishes a dedicated privacy office, the California Privacy Protection Agency (CPPA), which will enforce the CCPA and CPRA. The California Attorney-General also retains authority to issue fines under the law.
The CPPA and the California Attorney-General can impose administrative fines of:
- Up to $2,500 for each unintentional violation, or
- Up to $7,500 for each intentional violation, or for any violations involving the personal information of children under the age of 16
The CPPA has discretion to allow a business to "cure" its violation before pursuing a fine (this removes the blanket "notice and cure" provision from the CCPA).
A business may be liable for costs of the investigation, but only to either the CPPA or the California Attorney-General.
The CPRA expands on the CCPA's limited private right of action. We won't go into detail regarding the CCPA's private right of action, but we have an article on this topic if you want to know more.
Briefly, the CCPA's private right of action allows consumers to take a business to court if it suffers a breach of certain types of personal information.
The CPRA expands this right by adding an extra type of personal information to the list: an "email address in combination with a password or security question and answer that would permit access to the account."
How Does Each Law Treat Service Providers?
- Both laws have a concept of a "service provider" or "processor" that acts on behalf of the business or controller.
- Both laws require businesses to have a contract in place with service providers or processors they use.
- The business remains liable for most violations unless the service provider or processor acts outside of its contract.
Data Processors Under Virginia's CDPA
Virginia's CDPA defines a "processor" as "a natural or legal entity that processes personal data on behalf of a controller." The CDPA sets rules regarding the relationship between controllers and processors.
The relationship between a controller and a processor must be governed by a binding contract that sets out:
- Clear instructions for processing data
- The nature and purpose of processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties
The contract must also include clauses ensuring that:
- The processor ensure that anyone processing the personal data is covered by a duty of confidentiality
- The processor deletes or returns all personal data at the controller's discretion
- The processor makes all personal data available to the controller and demonstrates its CDPA compliance on request
- The processor complies with audits by the controller or an approved third party
Service Providers Under California's CPRA
The CPRA defines a "service provider" as "a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract."
The CPRA distinguishes this from a "contractor" which is defined as "a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract...."
The relationship between a business and its service provider or contractor must be governed by a contract that prohibits the service provider or contractor from:
- Selling or sharing the personal information
- Retaining, using, or disclosing the personal information for any purpose outside of the contract
- Retaining, using, or disclosing the information outside of the direct business relationship between the two parties
- Combining the personal information with any other personal information from another source, except where permitted by the CPRA
For more information, see our article The Complete Guide to CCPA Service Providers.
Your Next Compliance Steps
Virginia's CDPA and California's CPRA are among the toughest privacy laws in the United States. We can expect many similar laws to emerge across the country over the next few years.
There are many key similarities between these two laws. Here are some steps you can take before 2023 to prepare for compliance with both laws:
- Check whether you meet the threshold for complying with either law.
- Map the personal information and sensitive personal information your business controls.
- Set up processes for dealing with consumer rights requests.
- Ensure you have contracts in place with any service providers/processors.