Privacy Law Comparison: California vs. Virginia
The California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) share many similarities, but this masks some very important differences that significantly affect compliance. Here we’ll highlight the most important ways that the two laws differ from each other.
Employee & B2B Data
Among the U.S. data privacy laws, the CCPA is alone in applying to personal data from not only consumers, but employees, job applicants, and B2B contacts as well. When it was originally passed, the CCPA had a temporary exemption for this data, which the state kept extending. That changed on January 1, 2023, when the exemption finally expired without further extensions.
Employee data in particular presents a challenge for businesses; they not only have to map this data separately, they also have to determine how to respond to privacy requests such as to access or delete their personal data.
Virginia, on the other hand, permanently exempts any data collected in an employment or commercial context.
Selling Personal Data
Both the California and Virginia laws give consumers the right to opt out of the sale of their personal data (as well as targeted advertising), but they define “sale” in subtly different ways. The VCDPA defines a sale as the exchange of personal data for monetary consideration (i.e., money), while the CCPA defines it as making personal information available for monetary “or other valuable consideration.”
It’s a small difference with big implications. Most businesses that have to comply with the CCPA don’t trade personal information for money, but the California definition doesn’t require money to change hands. Receiving free or discounted access to a product or service (such as software like Google Analytics) in exchange for access to data about your customers would count as a sale, and this is a much more common practice. Any business that sells data in this way has to create a process that allows consumers to opt out.
Data Protection Assessments
Switching things up, here’s an example where the VCDPA imposes a higher burden than the CCPA. The Virginia law requires businesses to conduct data protection assessments when processing personal data for any of the following purposes:
- Targeted advertising
- Sale of personal data
- Processing of sensitive data
- Profiling of consumers, where it poses a foreseeable risk of harm or unfair treatment of consumers
- Any other processing that presents a heightened risk of harm to consumers
A data protection assessment must weigh the benefits of the processing against the potential risks to consumers, and consider the use of safeguards to reduce those risks.
The CCPA does not currently require data protection assessments, though it does give the California Privacy Protection Agency the authority to require a regular “risk assessment” from businesses whose data processing activities present a significant risk to consumers’ privacy or security. The CPPA has not yet drafted those rules, but is expected to do so in the near future.
Appealing Privacy Requests
This is another area where the VCDPA has added a new requirement to the privacy compliance landscape. Anytime a business refuses to take action on all or part of a consumer’s privacy request (for example, claiming that certain data is exempt from deletion), it must provide the consumer with a way to appeal that decision.
The law does not provide much detail on what the appeals process must look like, but it’s probably a good idea to have the decision reviewed by a second person. The business must also explain any actions taken or not taken in response to the appeal, and, if it still denies the request, provide a way to contact the Virginia Attorney General’s Office.
The CCPA contains no such appeal requirement, though businesses are required to provide an explanation if they deny a privacy request.
Private Right of Action
When a law creates a private right of action, it means that private citizens may sue anyone who violates that law, assuming the plaintiff has suffered some injury as a result of the violation. The VCDPA does not create a private right of action, and can only be enforced by the Virginia Attorney General. Therefore, if a Virginian’s privacy rights are violated, their only recourse is to make a complaint to the AG’s Office.
The CCPA takes a slightly different approach. It does not create a general private right of action over any violation, but does allow consumers to sue businesses if their personal information is compromised due to a security breach. In that case, each consumer can recover up to $750 per incident, without having to prove actual damages. This creates an obvious potential for class action lawsuits, so businesses are strongly encouraged to create and maintain strong security practices.