PH Privacy
Analysis and Comparison: The Virginia Consumer Data Protection Act and California Privacy Laws
February 17, 2021
Sherrese Smith, Jacqueline Cooney, Brianne Powers, and Daniel Julian
Summary:
Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392; H.B. 2307) (the “VCDPA”). Once signed into law by the governor, as expected in in early to mid-March, the VCDPA will become the second major comprehensive privacy law in the US after the California Consumer Privacy Act (“CCPA”). As discussed in a prior blogpost, the CCPA was recently amended by the California Privacy Rights Act (“CPRA”), which will go into effect on January 2, 2023.
Similar to the CCPA and CPRA, the VCDPA is broad legislation that addresses a number of privacy topics, including (1) expanding the definition of personal data in Virginia, (2) providing certain rights to Virginia residents, (3) creating obligations for entities that conduct business or provide products or services in Virginia, and (4) allowing for significant enforcement authority for the Virginia Attorney General.
Once signed, the VCDPA will go into effect on January 1, 2023.
Key Takeaways:
- Scope of the VCDPA is Slightly More Limited than CCPA: The VCDPA is similar to the CCPA in scope, but, instead of exempting certain personal data from the law, it exempts the businesses themselves – including, notably, financial services companies that must comply with the Gramm-Leach-Bliley Act (“GLBA”) and companies that must comply with the Health Insurance Portability and Accountability Act (“HIPAA”).
- VCDPA Does Not Apply to Employees or Business Contacts: The VCDPA specifically carves out of the definition of “consumers” any individuals acting in a commercial or employment context and, therefore, the rights provided to consumers within the law do not appear to extend to employees or those who are engaged in processing of personal data in a commercial (business-to-business) context.
- Expanded Individual Rights: Like the CCPA, the VCDPA includes specific individual rights. In addition to including similar rights to the CCPA and CPRA, such as access, deletion, portability, and opting out of “sale” of data, it also includes the rights to:
- Opt out of processing of personal data for the purposes of targeted advertising;
- Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (this is similar to the right to opt out of automated decision-making which is included in the EU General Data Protection Regulation (“GDPR”)); and
- Confirm whether controller is processing personal data.
- Contract Requirements are Specifically Included: Similar to new provisions in the CPRA, the VCDPA will require in-scope businesses to enter into specific contracts with processors (including any service providers or other third parties to which they transfer information).
- Data Protection Assessments are Required: Similar to new provisions in the CPRA, entities that process certain personal data will be required to conduct data protection assessments.
- No Private Right of Action: The Virginia Attorney General will enforcement the VCDPA and, unlike the CCPA, which provides for a private right of action for data security incidents, there is no private right of action included in the VCDPA.
Side-by-Side Comparison of Key Provisions:
|
General Topic Area |
Specific Topic Area |
CCPA and CPRA (California) Requirements |
VCDPA (Virginia) Requirements |
|
Scope |
Definition of Personal Data |
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household |
Any information that is linked or reasonably linkable to an identified or identifiable natural person |
|
Sensitive Personal Data |
Explicit definition of sensitive personal data was not included in the CCPA, but was included in the new CPRA. Under CPRA, CA residents will be allowed to opt-out of processing of sensitive data, which is defined as personal information:
|
Provides explicit definition of sensitive personal data and requires consent for processing this type of data, defined as:
|
|
|
Applicability to Businesses |
Entities that conduct business in CA that also:
*This will increase to 100,000 under CPRA **This will also include “sharing” of personal data under the CPRA |
Entities that conduct business in VA or produce products that are targeted to VA residents that also:
|
|
|
Exemptions |
Exempts from the requirements of CCPA certain data (while an entity must comply with CCPA, the CCPA does not apply to an entity’s data that is otherwise regulated by HIPAA or GLBA) |
Exempts any entity that is subject to GLBA or HIPAA |
|
|
Applicability to Employees and Business-to-Business Communications |
Employee data and data collected for commercial, business-to-business communications are within the scope of CCPA and CPRA, but certain rights provided to California consumers (including access and deletion rights) to not apply to employees or business-to-business communications until the CPRA goes into effect in January 2023 |
VCDPA specifically carves out of the definition of consumer any person acting in a commercial or employment context |
|
|
Definitions of Parties
|
Designation of Controllers and Processors |
Does not include designation of “controllers” or “processors”. Instead places obligations on “businesses”, “service providers” and “third parties” |
Uses similar “controller” and “processor” designations as GDPR and imposes specific obligations on each |
|
Individual Rights |
Right to Confirm Processing |
No explicit right included in CCPA, but this right can be inferred from the language related to access rights |
Right to confirm whether controller is processing personal information |
|
Right to Access |
Right to access personal data collected, sold or transferred in last 12 months |
Right to obtain a copy of personal data previously provided to the controller |
|
|
Right to Portability |
All access requests must be exported in user-friendly format, but there is no import requirement |
Right to receive a copy of personal data in a readily usable format that can be transferred to another controller |
|
|
Right to Correction |
Right to correct data was not included in the CCPA, but has been added under the new CPRA |
Right to correct inaccuracies |
|
|
Right to Opt Out of Certain Processing |
Right to opt-out of selling personal data only; must include opt-out link on website Under the CPRA, this will expand to allow for opt-outs of sharing of personal data |
Right to opt-out of the processing of personal data for the purposes of targeted advertising, sale and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer |
|
|
Right to Deletion |
Right to delete personal data collected, under certain conditions |
Right to delete personal data collected, under certain conditions |
|
|
Right to Equal Services and Price |
Businesses are prohibited from providing different prices or different levels of quality of goods or services to consumers that exercise their rights (except where a consumer declines to participate in certain data collection) |
Businesses are prohibited from providing different prices or different levels of quality of goods or services to consumers that exercise their rights (except where a consumer has opted out of targeted advertising or is a member of a loyalty program) |
|
|
Requirements on Controllers
|
Privacy Notice Requirements |
Requires clear notice to consumers that includes categories of personal data collected; specific format and requirements are included |
Requires clear notice to consumers that includes categories of personal data processed; specific format and requirements are included |
|
Contract Requirements |
Service provider contracts must include certain requirements to not sell or process data outside of scope of services |
Contracts are required between controllers and processors, including specific types of obligations that must be placed on the processor by the controller |
|
|
Data Protection Requirements |
In-scope businesses must maintain “reasonable” security measures Under the CPRA, processing activities that present a “significant risk” to consumers’ privacy or security will require annual audits and periodic risk assessments |
In-scope businesses must maintain “reasonable” security measures, and conduct data protection assessments A data protection assessment is required when a controller is: 1) processing personal data for the purposes of targeted advertising; 2) selling personal data; 3) processing personal data for purposes of profiling (in certain contexts); 4) processing sensitive data; or 5) conducting any processing activity that presents a heightened risk of harm to consumers. |
|
|
Enforcement |
Private Right of Action |
Only in relation to security incidents: Minimum damages = $100 / Maximum damages = $750 per CA consumer per incident |
No private right of action, even for security incidents |
|
Regulator Enforcement Penalties |
Enforced by AG* with 30-day cure period No ceiling, $7,500 per violation *Under CPRA, will be enforceable by new CA data protection agency |
Enforced by AG with 30-day cure period Up to $7,500 per violation |
Practice Areas
Privacy and Cybersecurity Solutions Group
Data Privacy and Cybersecurity
For More Information
