VCDPA vs CCPA: Comparing Virginia and California Privacy Laws
As the first two American states to pass comprehensive data privacy regulations and with both regulations having taken effect on Jan 1, 2023, Virginia and California invite a natural comparison in the industry. A comparison is also important as the two state’s regulations present two different paths for other states to take as they try to craft and pass data regulations.
Whereas the California Consumer Privacy Act and its recent amendments, the California Privacy Rights Act, have put tremendous effort into replicating the majority of the EU’s groundbreaking GDPR regulations, The Virginia Consumer Data Protection Act, which is also quite similar to the GDPR, takes a few different stances on various issues than the CPRA in order to make the regulations slightly more business-friendly.
That is not to say the CCPA is entirely more progressive than the VCDPA, as Virginia’s bill had edges over the original CCPA when it came to things like defined sensitive personal information, broader opt-out rights, and more clearly defined roles of data “processors” and “controllers.”
The main edge Virginia’s regulations have is that the state legislature was able to push the bill through with bipartisan support in just two months, whereas amending the CCPA took over two years. That kind of legislative velocity–or lack of gridlock–matters when other regulations are drafted, which is why many view the VCDPA as a better starting point for any state-level data protection law.
The majority of the VCDPA and CCPA are very similar, such as the data rights granted to consumers, requirements of privacy and consent notices, and definitions of key concepts like personal data, but there are key differences to know.
Private Right of Action
In regards to the overall strength of the VCDPA and CCPA compared, California’s is considered noticeably stronger. That is in large part due to its inclusion of the private right of action, which means individuals can sue businesses over data privacy matters (though even the CPRA’s private right of action is weaker than the GDPR’s as it is limited only to data security incidents).
Virginia’s data privacy law not having a private right of action, while diluting the regulation’s power, is actually what makes it so attractive for other states to copy. Of the six states with comprehensive data regulations (including Iowa’s recently passed bill), only California has the private right of action, which is why many states are choosing not to pass CCPAesque regulations.
Enforcement is another area where the CCPA and its 2023 amendments, the CPRA, are seen as less business-friendly than the VCDPA.
This mainly lies in the fact that the CPRA removed the 30-day cure period the CCPA initially had, meaning if a company is caught violating the regulation, it is automatically fined. The VCDPA still features the 30-day cure period, meaning businesses have some leeway.
The chances of businesses getting hit with a fine are much lower in Virginia as well, since all enforcement for the VCDPA falls on the Attorney General’s office. AG enforcement was also how the CCPA was initially structured, but after realizing the scope of enforcing the regulations, the CPRA founded a governing body, the California Privacy Protection Agency (CPPA) specifically to help with enforcement, meaning the state is taking it much more seriously than Virginia.
The fines themselves are rather similar, with both regulations hitting a violation with up to a $7500 fine. In California, any violation regarding children’s data will automatically be $7500.
Data Protection Impact Assessments
Here, the VCDPA is clearer on what prompts an impact assessment. The CPRA added requirements that businesses within the scope of the regulation maintain “reasonable” security measures, as data processing activities that hold “significant risk” will require periodic audits and impact assessments.
The frequency with which those take place or the definition of “significant risk” are not stated clearly, leaving businesses on their toes.
Virginia’s data regulations state much more directly that DPIAs are necessary when a data controller meets one of these criteria:
1) processing personal data for the purposes of targeted advertising;
2) selling personal data;
3) processing personal data for purposes of profiling (in certain contexts);
4) processing sensitive data; or
5) conducting any processing activity that presents a heightened risk of harm to consumers.
Sensitive Personal Data and Profiling
There is not as much of a gap between sensitive personal data as there initially was between the VCDPA and CCPA, considering the CCPA did not define it at all originally.
With the CPRA correcting that and defining what separates sensitive personal data from personal data, it now includes more categories than the VCDPA does. Under the CPRA changes, businesses must also disclose how they collect, use, and process sensitive personal data–a requirement not within the VCDPA.
While both laws let consumers opt-out of profiling, they approach sensitive personal data a bit differently. The amended CCPA creates a clear opt-out for consumers to prevent their sensitive data from being collected and processed, but Virginia’s data regulations instead make it an opt-in. This means that consumers must consent to their sensitive data being used before businesses can do anything with it.
Further Opt-out Rights
The VCDPA vs CCPA opt-out rights have some differences as well. The CPRA strengthened the CCPA by also allowing consumers to opt out of not just selling, but the sharing of their personal data.
However, Virginia offered more flexible opt-outs from the onset, allowing consumers to opt out of targeted advertising as well. Targeted advertising here means largely across third parties lines, as the following necessary data is not considered targeted:
- Ads based on activities within a data controller's own website or app.
- Ads based on a consumer's search query, website visit or online application.
- Ads directed to a consumer based on their request for information.
- Personal data processed only to measure or report advertising performance/reach.
Another reason the VCDPA is considered weaker is because of the way it grants exemptions and the number of exemptions it has.
While CCPA exempts data itself, VCDPA exempts the entities processing that data.
In California, that means that certain data that falls under other regulations, such as HIPAA, is not confined to CCPA measures, although any other data being processed by the organization is still subject to the CCPA.
In Virginia, any organization that processes data regulated by HIPAA, GLBA (financial data), or several other laws revolving around healthcare and financial information, is exempt from the entirety of the VCDPA.
This means that the law is applied to proportionately fewer businesses within the state than the CCPA within California.
The wording in the VCDPA is quite straightforward in that it does not cover employee data, only consumer data.
The first iteration of CCPA did not extend to employee data either, but the state rectified that with the CPRA, and now does cover personal and sensitive personal data pertaining to employees.
The above are the main differences when considering the VCDPA vs CCPA data regulations.
While there were divergences in the original bills in a few areas that offered more business flexibility when complying, the passage of California’s CPRA amendments have closed several large holes within the CCPA, making it a much stronger and more effective data regulation.
In fact, the very need for California to go back and amend the regulation after it was in place shows how seriously the state is taking data privacy, which is likely why the Golden State is leading the way on the issue within the United States.
There are no current talks to amend the VCDPA, and as it has been used as a guide of sorts for other state data regulations that have come after it, the legislation also is quite important in the grand scheme of things, even if is not as all-encompassing as data privacy advocates would want it to be.