Virginia's Consumer Data Protection Act can apply to businesses located well outside of the state's borders. Learn how the law could affect your company.
Data privacy laws are growing in number—in 2023 alone, four new state laws are taking effect—but their general approach to the issue is pretty similar. They require organizations to be transparent about how they use personal data, and give consumers more control by granting them new privacy rights. In fact, they are so similar that it can be difficult to keep track of the differences.
Such is the case with the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA). They share many similarities, but this masks some very important differences that significantly affect compliance. Here we’ll highlight the most important ways that the two laws differ from each other.
Among the U.S. data privacy laws, the CCPA is alone in applying to personal data from not only consumers, but employees, job applicants, and B2B contacts as well. When it was originally passed, the CCPA had a temporary exemption for this data, which the state kept extending. That changed on January 1, 2023, when the exemption finally expired without further extensions.
Employee data in particular presents a challenge for businesses; they not only have to map this data separately, they also have to determine how to respond to privacy requests such as to access or delete their personal data.
Virginia, on the other hand, permanently exempts any data collected in an employment or commercial context.
Both the California and Virginia laws give consumers the right to opt out of the sale of their personal data (as well as targeted advertising), but they define “sale” in subtly different ways. The VCDPA defines a sale as the exchange of personal data for monetary consideration (i.e., money), while the CCPA defines it as making personal information available for monetary “or other valuable consideration.”
It’s a small difference with big implications. Most businesses that have to comply with the CCPA don’t trade personal information for money, but the California definition doesn’t require money to change hands. Receiving free or discounted access to a product or service (such as software like Google Analytics) in exchange for access to data about your customers would count as a sale, and this is a much more common practice. Any business that sells data in this way has to create a process that allows consumers to opt out.
Switching things up, here’s an example where the VCDPA imposes a higher burden than the CCPA. The Virginia law requires businesses to conduct data protection assessments when processing personal data for any of the following purposes:
A data protection assessment must weigh the benefits of the processing against the potential risks to consumers, and consider the use of safeguards to reduce those risks.
The CCPA does not currently require data protection assessments, though it does give the California Privacy Protection Agency the authority to require a regular “risk assessment” from businesses whose data processing activities present a significant risk to consumers’ privacy or security. The CPPA has not yet drafted those rules, but is expected to do so in the near future.
This is another area where the VCDPA has added a new requirement to the privacy compliance landscape. Anytime a business refuses to take action on all or part of a consumer’s privacy request (for example, claiming that certain data is exempt from deletion), it must provide the consumer with a way to appeal that decision.
The law does not provide much detail on what the appeals process must look like, but it’s probably a good idea to have the decision reviewed by a second person. The business must also explain any actions taken or not taken in response to the appeal, and, if it still denies the request, provide a way to contact the Virginia Attorney General’s Office.
The CCPA contains no such appeal requirement, though businesses are required to provide an explanation if they deny a privacy request.
When a law creates a private right of action, it means that private citizens may sue anyone who violates that law, assuming the plaintiff has suffered some injury as a result of the violation. The VCDPA does not create a private right of action, and can only be enforced by the Virginia Attorney General. Therefore, if a Virginian’s privacy rights are violated, their only recourse is to make a complaint to the AG’s Office.
The CCPA takes a slightly different approach. It does not create a general private right of action over any violation, but does allow consumers to sue businesses if their personal information is compromised due to a security breach. In that case, each consumer can recover up to $750 per incident, without having to prove actual damages. This creates an obvious potential for class action lawsuits, so businesses are strongly encouraged to create and maintain strong security practices.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.