What is the difference between the VCDPA and the CCPA?
Privacy concerns have become increasingly prevalent in recent years, prompting many states to enact privacy laws to protect consumer data. Considered the toughest data privacy law in the United States, the California Consumer Privacy Act, or CCPA, became effective on January 1, 2020 and enforceable as of July 1, 2020. It was supplemented by the California Privacy Rights Act (CPRA) in 2022 with the amendments effective as of January 1, 2023. Following California, Virginia became the second state to pass a comprehensive privacy act when it signed into law the Virginia Consumer Data Protection Act (VCDPA) back in 2021. While these two laws share many similarities, they also differ from one another. The California Consumer Privacy Act (CCPA) and the Virginia Consumer Privacy Act (VCDPA) inspired many other states when they drafted their laws, dividing states between the ‘Californian’ and ‘Virginian’ approaches to data protection.
In this article, we compare and contrast these two laws, analyzing their similarities and differences. By understanding the nuances of these laws, businesses and consumers can better navigate the complex landscape of data privacy in the United States. Both here and further on, whenever we discuss the California privacy law, we refer to the amended version, also known as California Privacy Rights Act, or CCPA.
Applicability:
Who must comply with VCDPA?
The Virginia Consumer Protection Act, or VCDPA, applies to businesses that conduct business in Virginia or produce products and services targeted to Virginia residents. There is no revenue threshold; however, to fall under the scope of VCDPA, a business shall either:
-
Control or process data of 100,000 (or more) consumers; or
-
Control or process data of 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data.
Am I a Controller or a Processor?
The terminology of the VCDPA is different from that of the CCPA. Still, it should be familiar to anyone working with the EU General Data Protection Regulation (GDPR). A ‘controller’ is a company or individual that determines the means and purpose of processing personal data, alone or jointly with other Controller (s). A ‘processor’ is a company or individual that processes personal data on behalf of the Controller. You either develop instructions or follow those given to you.
Are there any exemptions from the VCDPA?
Indeed, specific categories of business are exempt from the VCDPA, including:
-
Financial institutions subject to the Gramm-Leach-Bliley Act;
-
Virginia state agencies;
-
Higher education institutions;
-
Non-profit organizations;
-
Business associates or covered entities that are governed by the security, privacy, and breach notification rules established according to the Health Insurance Portability and Accountability Act (HIPAA).
Who must comply with CCPA?
The California Consumer Privacy Act (CCPA) applies to businesses that either operate in California or offer products and services to California residents. Additionally, businesses should meet these criteria to fall under the scope:
-
Annual gross revenue should be at least 25 million USD; or
-
Derive at least 50% from selling or sharing personal information; or
-
Buy, sell, or share with third parties the personal information of at least 100,000 California residents.
IMPORTANT: Unlike the CCPA, the VCDPA doesn't have an income threshold.
Are there any exemptions from the CCPA?
According to the regulation text, there are a series of organizations and types of data that are excluded from compliance:
-
Medical information that is governed by the Confidentiality of Medical Information Act;
-
Providers of healthcare that are governed by the Confidentiality of Medical Information Act or a covered entity controlled by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services;
-
Personal information collected during a clinical trial is subject to the Federal Policy for the Protection of Human Subjects;
-
Personal information is collected, processed, sold, or disclosed according to the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act;
-
Personal information collected, processed, sold, or disclosed according to the Driver's Privacy Protection Act of 1994.
What is the difference between personal information and personal data?
The VCDPA protects ‘personal data’ which is any information reasonably linked to an identifiable or identified person. It does not apply to public information or de-identified information. ‘Sensitive data' is a particular category of data, which includes personal data revealing racial or ethnic origin, mental or physical health, religious beliefs, sexual orientation, citizenship or immigration status, and genetic or biometric data.
The CCPA protects 'personal information' and defines it as any information that relates to, describes, is reasonably capable of being associated with, or could be linked directly or indirectly with a particular consumer or household. Under the CCPA, 'sensitive personal information' means information that reveals account credentials, credit card number, precise geolocation, race or ethnic origin, religious or philosophical beliefs, union membership, genetic or biometric data, information revealing health, sex life or sexual orientation, social security number, driver's license, id or passport number.
Business responsibilities
As mentioned above, the Virginia Consumer Data Protection Act has two roles for businesses participating in processing activities: Controller and Processor. And their responsibilities are different.
Responsibilities of a Controller
Responsibilities of the Controller under the VCDPA include obligations to:
-
Limit the collection of personal data to what is adequate, relevant, and necessary to meet the purpose of the processing;
-
Process information for purposes it was collected for, or seek additional consent for new purposes of processing;
-
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
-
Establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter.
-
Respond to consumer rights requests and not discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing an extra level of quality of goods and services to the consumer;
-
Only process sensitive personal information when consent was provided;
-
Provide consumers with a reasonably accessible, transparent, and meaningful privacy notice;
-
Ensure security of processing and conduct and document data protection assessments where necessary.
A Controller is responsible for defining means of processing and ensuring the Processor receives complete instructions on data processing. A contract between a Controller and a Processor is required to comply with the VCDPA; it must be binding and clearly set the instructions on data processing, as well as describe the nature and purpose of the data, types of consumers whose data is being processed, duration of processing, rights, and obligations of both parties.
Responsibilities of a Processor
To comply with the VCDPA, a Processor must follow the instructions of the Controller when it comes to processing personal data and implement appropriate technical and organizational measures to:
-
Assist the Controller in their obligation to respond to consumer rights requests;
-
Assist the Controller in meeting their obligations concerning security or processing and notification of a breach of security;
-
Provide necessary information to enable the Controller to conduct and document data protection assessments;
-
Ensure that each person involved in data processing is subject to the confidentiality duty;
-
Delete or return all personal data to the Controller at the end of the provision of services;
-
Make available to the Controller all information in its possession necessary to demonstrate the Processor's compliance;
-
Allow and cooperate with reasonable assessments by the Controller or the Controller's designated assessor.
Responsibilities of Businesses
Although under the CCPA terminology, there is no clear distinction between the Controller and the Processor, the wording still provides for slightly different responsibilities for 'businesses that control the collection' and a 'service provider,' which is any legal entity that operates under a service provider contract and receives consumers personal information from a business.
The general duties of the business are as follows:
-
Provide consumers with a notice about the collection of their personal information;
-
Ensure that sensitive personal information is collected and processed only with consent from a consumer;
-
Collect, use, and share personal information only where it is reasonably necessary to reach the purpose of the processing;
-
Implement reasonable security measures to ensure the protection of personal information;
-
Provide consumers with easily accessible means to exercise their rights; do not penalize them or discriminate against a consumer for exercising any of the consumer rights contained in this chapter;
-
Where personal information is shared with third parties, it has to be done based on the agreement, clearly defining the responsibilities of both parties, obliges service providers to assist businesses in fulfillment of their obligations, ensuring adequate protection and confidentiality of personal information, assisting and cooperate in responding to verifiable consumer requests and comply with other obligations.
Consumer Rights
The Virginia Consumer Data Protection Act provides consumers with the right to:
-
Confirm whether their personal data is being processed;
-
Correct inaccurate personal data;
-
Delete personal data;
-
Obtain a copy of personal data;
-
Opt out of processing for purposes of targeted advertisement, sale of personal data profiling, and
-
Appeal to Controller's refusal to take action upon receiving a request.
Under the California Consumer Privacy Rights Act, this list is more extensive, as consumers have a right to:
-
Confirm whether their personal information is being processed;
-
Correct inaccurate personal information;
-
Delete personal information;
-
Obtain a copy of personal information;
-
Opt out of processing for purposes of targeted advertisement, sale of personal information, and profiling; as well as
-
Limit the use of sensitive personal information;
-
Hold businesses accountable for failing to protect sensitive personal information;
-
Appeal businesses' refusal to take action upon receiving a request.
Enforcement
The Virginia Attorney General enforces Enforcement of the Virginia Consumer Data Protection Act; a civil penalty may reach $7,500 for violation and recovery of investigation costs.
The California Privacy Protection Agency, also known as CPPA, and the California Attorney General both have the right to impose administrative fines, which may go up to $2,500 for each unintentional violation or $7,500 for intentional ones, and recovery of investigation costs. Additionally, CPPA allows for a private right of action, which enables consumers to exercise their rights or appeal to businesses' actions (or lack thereof) directly in court.
Conclusion
It can be said indeed the VCDPA and the CCPA share many similarities, as both laws aim to protect the privacy rights of consumers and provide them with additional control over their personal information. However, the Virginia law has a narrower scope than California, as it only applies to consumers, excluding employees. As California and Virginia were the first states to sign comprehensive data protection laws, it is essential to understand the differences as they may help navigate data protection laws enacted by other states in recent years.