Virginia's CDPA v. California's CCPA (CPRA)

Virginia's Consumer Data Protection Act (CDPA) and California's Consumer Privacy Act (CCPA/CPRA) aim to give people more control over how they share their personal data online.

However, while these laws are similar in many ways, there are some substantial differences in how they are applied and who they protect.

In this article we consider the similarities and differences between both Acts to help you meet your compliance requirements.

What is the CDPA?

The CDPA is effective from January 1, 2023. It's designed to give Virginia residents more control over what personal information they share online, and who they share it with.

In many ways, the Act is similar to the EU's General Data Protection Regulation (GDPR). The idea is to strike a balance between:

• Allowing business to collect the data they need for commercial purposes, and
• Protecting Virginia consumers from sharing their personally identifiable information in ways they're uncomfortable with

What is the CCPA (CPRA)?

The CCPA (CPRA) came into force on January 1 2020.

Like the CDPA and the GDPR, the California Consumer Privacy Act allows California residents to limit how much personal data they share with businesses when they use the internet. Aside from the CDPA, the CCPA (CPRA) is one of the only privacy laws in the U.S. to offer such far-reaching protections to consumers.

You may already be complying with the CCPA (CPRA), but even if the law doesn't apply to you (more on that below), you should still understand how it works.

Who Each Act Applies to

Each Act has a different territorial scope.

Scope of the CDPA

According to Section 59.1-572, the CPDA applies to businesses that:

• Handle or process personal details belonging to 100,000 or more Virginia residents, or
• Earn 50% or more of their gross revenue from selling personal information, and they process or handle data belonging to at least 25,000 Virginia residents

So, if you're a for-profit company selling goods or services to the people of Virginia, or you process data on behalf of a company that does, then it's likely that the CDPA applies to you.

Scope of the CCPA (CPRA)

The rules are set out in Section 1798.140(C). Essentially, you must comply with the CCPA (CPRA) if you're a for-profit business and you:

• Earn at least 50% of your profits from selling or sharing personal data, or
• Buy or sell data belonging to 100,000 or more people, or
• Have a gross income exceeding $25 million

Definition of "Personal Data"

"Personal data" typically means any information a business can use to identify a specific individual. Each Act defines personal data slightly differently, but the meaning is the same.

"Personal Data" Under the CDPA

The meaning of personal data in the CDPA is simply any information you could link to a person and use to identify them.

• There are no examples of personal data provided in the Act.
• Personal data doesn't include de-identified data, such as anonymized data used for statistical purposes.

How the CCPA (CPRA) Defines "Personal Information"

The CCPA (CPRA) refers to this data as "personal information," not data. It's defined in Section 1798.140(o)(1) as basically any information you could link to a person, or use to identify them.

• The definition provided is more comprehensive than the one offered in the CDPA.
• While the CDPA doesn't provide any examples of personal data, the CCPA (CPRA) provides numerous examples.
• Again, personal information doesn't include anonymized data.

The Public Availability Exception

We know that personal data doesn't include aggregated data where it's impossible to identify someone. However, this is not the only exception. Personal data doesn't include any data that's publicly available, either.

Publicly Available Information and the CDPA

The definition of "publicly available information" under the CDPA is extremely broad. It covers:

• Information made available through local, federal, or state government records
• Any information a business has reasonable grounds to believe falls within the public domain

So, if a layperson might consider some information "publicly available information," then it could fall within this exception.

Publicly Available Information and the CCPA (CPRA)

The CCPA (CPRA) defines "publicly available information" much more strictly. It only covers data released lawfully in federal, local, or state government records.

The definition of publicly available information is one of the biggest differences between the Acts.

The Treatment of Sensitive Data

"Sensitive data" is any data that's private, such as sexual orientation and religious beliefs. There are some key differences in how the Acts define sensitive data.

The CDPA and Sensitive Data

The CDPA defines sensitive data as:

• Any personal data from a child
• Adult biometric or genetic data
• Any information revealing an adult's immigration status, sexual orientation, religious beliefs, health conditions, or racial or ethnic origins

Under the CDPA, you can't collect sensitive data without someone's express consent. They must take a positive step to show they're happy for you to capture this information e.g. clicking a checkbox.

The CCPA (CPRA) and Sensitive Data

If the CCPA applies, you need someone's consent to process sensitive data. Additionally, you must disclose if you collect or use sensitive data, and you must give people the opportunity to opt out.

Consumer Rights

Both the CDPA and the CCPA (CPRA) exist to give people more control over their personal data. Llet's compare the rights afforded by each Act.

Consumer Rights Under the CDPA

We know you can't collect sensitive data under the CDPA unless a person opts in. However, the CDPA also gives people the right to:

• Access any personal data stored on them
• Request a copy of their personal data
• Amend any errors or inaccuracies
• Request the deletion of their data

You must also give them the right to opt out of selling their personal data, or using their data for targeted advertising or profiling purposes.

If someone contacts you regarding their data, you usually only have 45 days to respond. The rights are set out in detail in Section 59.1-573 of the Act.

Consumer Rights Under the CCPA (CPRA)

The rights afforded under the CCPA (CPRA) are fairly similar, although they are a little narrower.

Californians have a number of rights including the following:

• Access their personal information
• Know what data you hold on them
• Correct any errors in their personal information
• Limit the use of sensitive personal information
• Request you delete their data
• Data portability
• Opt out of any sale of their personal information to third parties

You also can't discriminate against Californians who exercise their privacy rights in any way.

Consent Requirements

Businesses might need someone's consent to personal data processing before they can capture information about them, but each Act has different criteria for when consent is necessary.

Consent and the CDPA

You only need express consent in two circumstances:

• When you want to process sensitive data (including data belonging to minors), or
• If you want to use the data in a way the customer wouldn't expect

So, for example, if you only collected data for essential purposes before, and you decide to start sharing it with third parties for sale, you'll probably need consent first.

Consent and the CCPA (CPRA)

Under the CCPA (CPRA), you really only need consent if you want to sell personal information.

Privacy Policy Requirements

No matter which Act applies, you must provide users with a written notice setting out:

• How you use their personal data; and
• What rights people have over their information

The easiest way to do this is by writing a Privacy Policy. By writing a comprehensive Privacy Policy, you can pretty much comply with both Acts simultaneously.

CDPA Privacy Policies

Section 59.1-574 (C) of the CDPA requires you to draft a "Privacy Notice" setting out:

• The type of personal data you process
• Your reasons for processing
• Your policy for sharing data with third parties
• How Virginia residents can control the data they share with you
• Where customers can contact you for more information

The Consumer Data Protection Act doesn't set out how often you should update your Privacy Notice. However, it's good practice to update your Notice at least once every 12 months, or whenever anything changes with your practices of course.

Make your Privacy Policy accessible by placing prominent links around your website. An example would be placing a link in the website footer. Here's an example from Tim Hortons:

CCPA (CPRA) Privacy Policies

Section 1798.130(5) confirms that you need a Privacy Policy under the CCPA (CPRA), and that you must update it at least once every 12 months.

You must also set out:

• The rights people have regarding their personal information
• The categories of information you collect, and why you collect it
• Who you share the data with
• How people can contact you to exercise their rights under the Policy

"Do Not Sell My Information"

If you sell personal information, the CCPA (CPRA) requires you to give people the opportunity to opt-out. This is called the "Do Not Sell My Personal Information" page, and you must link to it within your Privacy Policy and on your website.

Here's an example from NBC Universal:

This is a good example of how to include a clear link to the "Do Not Sell" page within a Privacy Policy.

Data Processors and Service Providers

Service providers, or data "processors," process personal data on a company's behalf. Since they also have access to personal data, they're regulated by the CDPA and CCPA (CPRA).

The CDPA and Data Processors

Under CDPA Section 59.1-571, a data processor is any company responsible for processing any personal data collected by a controller.

Before a processor can handle data, they must agree a written contract with the controller setting out the:

• Procedures for handling data
• Purpose and duration of the processing
• Rights and responsibilities of each party

The processor must be able to demonstrate CDPA compliance, if requested.

The CCPA (CPRA) and Data Processors

The CCPA (CPRA) refers to "service providers," not processors, but they're the same type of entity.

That said, the CCPA (CPRA) doesn't place so many obligations on service providers. While you still need a written contract between the controller and the service provider, and the service provider can only use the personal data in a specified way, there's less oversight.

In summary, the CDPA is stricter when it comes to regulating data processors or service providers.

Penalties for Non-compliance

Both Acts impose fines or penalties on businesses and processors who fail to comply with the rules. Let's break down the differences.

Enforcing the CCPA (CPRA)

If you're reported for non-compliance, you'll be notified and given 30 days to fix the issue. If you don't act, you can be fined $2,500 for an accidental violation, or $7,500 for a deliberate violation.

You can read more about this in Section 1798.155.

Enforcing the CDPA

The CDPA fines are pretty similar, but the one key difference is that you can be fined up to $7,500 for any violation, whether it's intentional or accidental.

Again, though, you have 30 days to "cure" the violation before you'll receive a financial penalty. The rules are set out in Section 59.1-579.

Conclusion

Both the Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA/CPRA) regulate how businesses can process personal data supplied by their customers. To summarize what we've learned above, here's a final overview of the similarities and differences between both Acts.

Similarities

The CDPA and CCPA (CPRA) are fundamentally similar.

• "Personal information" means broadly the same thing in both Acts.
• Data processors, or service providers, can't process data on a controller's behalf unless there's a written contract in place.
• You need a Privacy Policy, or Privacy Notice, before collecting anyone's data.
• You must inform users of their privacy rights, and help them exercise these rights.
• There are a few occasions when you need consent to process data.
• Every user has the right to request you to delete or amend their data.

Differences

The main differences between the Acts are:

• You need consent to collect sensitive data under the CDPA, whereas you only need consent to sell personal information under the CCPA. So, the consent rules are different.
• The CDPA gives people more rights over their data than the CCPA (CPRA).
• The CCPA (CPRA) is much stricter in terms of what data counts as "publicly available information."
• Every CCPA/CPRA-compliant website needs a "Do Not Sell My Information" page, while the CDPA does not require this.
• The CDPA takes a stricter approach to data processor regulation.
• You could be fined more under the CDPA if you violate the rules.