left-caret
Insights

ph privacy

Analysis and Comparison: The Virginia Consumer Data Protection Act and California Privacy Laws

February 17, 2021

By Sherrese Smith, Jacqueline Cooney, Brianne Powers, and Daniel Julian

Summary:

Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392; H.B. 2307) (the “VCDPA”). Once signed into law by the governor, as expected in in early to mid-March, the VCDPA will become the second major comprehensive privacy law in the US after the California Consumer Privacy Act (“CCPA”).  As discussed in a prior blogpost, the CCPA was recently amended by the California Privacy Rights Act (“CPRA”), which will go into effect on January 2, 2023.

Similar to the CCPA and CPRA, the VCDPA is broad legislation that addresses a number of privacy topics, including (1) expanding the definition of personal data in Virginia, (2) providing certain rights to Virginia residents, (3) creating obligations for entities that conduct business or provide products or services in Virginia, and (4) allowing for significant enforcement authority for the Virginia Attorney General.

Once signed, the VCDPA will go into effect on January 1, 2023.

Key Takeaways:

  • Scope of the VCDPA is Slightly More Limited than CCPA: The VCDPA is similar to the CCPA in scope, but, instead of exempting certain personal data from the law, it exempts the businesses themselves – including, notably, financial services companies that must comply with the Gramm-Leach-Bliley Act (“GLBA”) and companies that must comply with the Health Insurance Portability and Accountability Act (“HIPAA”).
  • VCDPA Does Not Apply to Employees or Business Contacts: The VCDPA specifically carves out of the definition of “consumers” any individuals acting in a commercial or employment context and, therefore, the rights provided to consumers within the law do not appear to extend to employees or those who are engaged in processing of personal data in a commercial (business-to-business) context.
  • Expanded Individual Rights: Like the CCPA, the VCDPA includes specific individual rights. In addition to including similar rights to the CCPA and CPRA, such as access, deletion, portability, and opting out of “sale” of data, it also includes the rights to:
    • Opt out of processing of personal data for the purposes of targeted advertising;
    • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (this is similar to the right to opt out of automated decision-making which is included in the EU General Data Protection Regulation (“GDPR”)); and
    • Confirm whether controller is processing personal data.
  • Contract Requirements are Specifically Included: Similar to new provisions in the CPRA, the VCDPA will require in-scope businesses to enter into specific contracts with processors (including any service providers or other third parties to which they transfer information).
  • Data Protection Assessments are Required: Similar to new provisions in the CPRA, entities that process certain personal data will be required to conduct data protection assessments.
  • No Private Right of Action: The Virginia Attorney General will enforcement the VCDPA and, unlike the CCPA, which provides for a private right of action for data security incidents, there is no private right of action included in the VCDPA.

Side-by-Side Comparison of Key Provisions:

General Topic Area

Specific Topic Area

CCPA and CPRA (California) Requirements

VCDPA (Virginia) Requirements

Scope

Definition of Personal Data

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Any information that is linked or reasonably linkable to an identified or identifiable natural person

Sensitive Personal Data

Explicit definition of sensitive personal data was not included in the CCPA, but was included in the new CPRA. Under CPRA, CA residents will be allowed to opt-out of processing of sensitive data, which is defined as personal information:

  1. That reveals a customer’s government-issued identification number financial account information and account login credentials, precise geolocation information, the contents of an email or text messages, genetic data, racial or ethnic origin, religious beliefs, biometrics data, health data, and data concerning sex life or sexual orientation; or
  2. Is used for the purpose of inferring characteristics about a consumer.

Provides explicit definition of sensitive personal data and requires consent for processing this type of data, defined as:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. Genetic or biometric data (used for the purpose of identifying a natural person);
  3. Personal data collected from a child; or
  4. Precise geolocation data.

Applicability to Businesses

Entities that conduct business in CA that also:

  • Have collected data of more than 50,000* CA residents; or
  • Have a gross revenue of more than $25 million; or
  • Derive more than 50% of revenue from sale** of personal data

*This will increase to 100,000 under CPRA

**This will also include “sharing” of personal data under the CPRA

Entities that conduct business in VA or produce products that are targeted to VA residents that also:

  • Control or process data of 100,000 VA residents within a calendar year; or
  • Control or process data of 25,000 VA residents and derive over 50% of revenue from sale of personal data

Exemptions

Exempts from the requirements of CCPA certain data (while an entity must comply with CCPA, the CCPA does not apply to an entity’s data that is otherwise regulated by HIPAA or GLBA)

Exempts any entity that is subject to GLBA or HIPAA

Applicability to Employees and Business-to-Business Communications

Employee data and data collected for commercial, business-to-business communications are within the scope of CCPA and CPRA, but certain rights provided to California consumers (including access and deletion rights) to not apply to employees or business-to-business communications until the CPRA goes into effect in January 2023

VCDPA specifically carves out of the definition of consumer any person acting in a commercial or employment context

 

Definitions of Parties

 

Designation of Controllers and Processors

Does not include designation of “controllers” or “processors”. Instead places obligations on “businesses”, “service providers” and “third parties”

Uses similar “controller” and “processor” designations as GDPR and imposes specific obligations on each

Individual Rights

Right to Confirm Processing

No explicit right included in CCPA, but this right can be inferred from the language related to access rights

Right to confirm whether controller is processing personal information

Right to Access

Right to access personal data collected, sold or transferred in last 12 months

Right to obtain a copy of personal data previously provided to the controller

Right to Portability

All access requests must be exported in user-friendly format, but there is no import requirement

Right to receive a copy of personal data in a readily usable format that can be transferred to another controller

Right to Correction

Right to correct data was not included in the CCPA, but has been added under the new CPRA

Right to correct inaccuracies

Right to Opt Out of Certain Processing

Right to opt-out of selling personal data only; must include opt-out link on website

Under the CPRA, this will expand to allow for opt-outs of sharing of personal data

Right to opt-out of the processing of personal data for the purposes of targeted advertising, sale and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Right to Deletion

Right to delete personal data collected, under certain conditions

Right to delete personal data collected, under certain conditions

Right to Equal Services and Price

Businesses are prohibited from providing different prices or different levels of quality of goods or services to consumers that exercise their rights (except where a consumer declines to participate in certain data collection)

Businesses are prohibited from providing different prices or different levels of quality of goods or services to consumers that exercise their rights (except where a consumer has opted out of targeted advertising or is a member of a loyalty program)

Requirements on Controllers

 

Privacy Notice Requirements

Requires clear notice to consumers that includes categories of personal data collected; specific format and requirements are included

Requires clear notice to consumers that includes categories of personal data processed; specific format and requirements are included

Contract Requirements

Service provider contracts must include certain requirements to not sell or process data outside of scope of services

Contracts are required between controllers and processors, including specific types of obligations that must be placed on the processor by the controller

Data Protection Requirements

In-scope businesses must maintain “reasonable” security measures

Under the CPRA, processing activities that present a “significant risk” to consumers’ privacy or security will require annual audits and periodic risk assessments

In-scope businesses must maintain “reasonable” security measures, and conduct data protection assessments

A data protection assessment is required when a controller is: 1) processing personal data for the purposes of targeted advertising; 2) selling personal data; 3) processing personal data for purposes of profiling (in certain contexts); 4) processing sensitive data; or 5) conducting any processing activity that presents a heightened risk of harm to consumers.

Enforcement

Private Right of Action

Only in relation to security incidents:

Minimum damages = $100 / Maximum damages = $750 per CA consumer per incident

No private right of action, even for security incidents

Regulator Enforcement Penalties

Enforced by AG* with 30-day cure period

No ceiling, $7,500 per violation

*Under CPRA, will be enforceable by new CA data protection agency

Enforced by AG with 30-day cure period

Up to $7,500 per violation

Practice Areas


For More Information

Image: Sherrese M Smith
Sherrese M Smith
Partner, Corporate Department
Image: Jacqueline W Cooney
Jacqueline W Cooney
Senior Director, Privacy and Cybersecurity
Image: Brianne B Powers
Brianne B Powers
Director, Privacy and Cybersecurity