Topic

The VCDPA vs. CCPA: Comparing State Privacy Laws

May 3, 2023
The VCDPA vs. CCPA: Comparing State Privacy Laws

California and Virginia are leading the effort among states to enact new consumer data privacy laws that identify specific consumer privacy rights and introduce requirements for the commercial collection and processing of consumer data.

The California Consumer Privacy Act (CCPA) went into effect in 2020 and created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. The California Privacy Rights Act (CPRA) – sometimes referred to as “CCPA 2.0” – was a ballot measure approved by California voters in 2020, which significantly amended and expanded the rights and requirements set forth in the CCPA.

Virginia’s Consumer Data Protection Act (VCDPA) went into effect in Jan. 2023 and creates rights and obligations related to the processing of consumer data similar to the California laws, but with key differences around enforcement, exemptions, and how consumer rights are defined.

The following table provides an at-a-glance comparison of the key elements of each law; it is not meant to provide a comprehensive overview of each law’s provisions.

[Download the full comparison table as a PDF.]

What are the basics?

CCPA CPRA VCDPA
Name
California Consumer Privacy Act California Privacy Rights Act Consumer Data Protection Act
Citation
Cal. Civ. Code § 1798.100 et seq. Cal. Civ. Code § 1798.100 et seq. Va. Code § 59.1-571 et seq.
Jurisdiction
California California Virginia
Scope Comprehensive Comprehensive Comprehensive
Model
Opt-out Opt-out Opt-out
Sector
Non-sectoral Non-sectoral Non-sectoral
Effective Date(s) Jan. 1, 2020 Took effect Dec. 16, 2020; CCPA revisions operative Jan. 1, 2023 Jan. 1, 2023

Whose data is protected?

CCPA CPRA VCDPA
Statutory term Consumer Consumer Consumer
Defined as Natural person who is California resident Natural person who is California resident Natural person who is Virginia resident

What data is protected?

CCPA CPRA VCDPA
Statutory term Personal information Personal information Personal data
Defined as Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked – directly or indirectly – to a particular consumer or household Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked – directly or indirectly – to a particular consumer or household Any information that is linked or reasonably linkable to an identified or identifiable natural person
Definition excludes de-identified data Yes, but see provisions regarding reidentification of de-identified information Cal. Civ. Code §1798.148 Yes, but see provisions regarding reidentification of de-identified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “de-identified.” Cal. Civ. Code §1798.185(a) Yes, but special requirements apply to de-identified data Va. Code § 59.1-581
Definition excludes publicly available info Yes Yes Yes
Definition excludes aggregate info Yes Yes Not specified

What types of data have heightened protections?

CCPA CPRA VCDPA
Statutory term None Sensitive personal information Sensitive data
Biometric data n/a No Yes
Children’s data n/a No Yes
Citizenship status n/a No Yes
Electronic communications n/a Yes, content of No
Financial account info n/a Yes, credentials or access to No
Genetic data n/a Yes Yes
Geolocation info n/a Yes, “precise” Yes, “precise”
Government-issued ID n/a Yes No
Marital status n/a No No
Mental health n/a No Yes, diagnosis
Physical health n/a No Yes, diagnosis
Political opinion n/a No No
Race/ethnicity n/a Yes Yes
Religious beliefs n/a Yes Yes
Sexual orientation n/a No Yes
Union membership n/a Yes No

What data is exempt?

CCPA CPRA VCDPA
B2B-related data Yes (until 1/1/2023) No Yes
Common rule-covered info Yes Yes Yes
COPPA-related info No No No
DPPA-covered info Yes Yes Yes
Employment-related data Yes (until 1/1/2023) No Yes
FCRA-covered info Yes Yes Yes
FERPA-covered info No No Yes
GLBA-covered data Yes Yes Yes
HIPAA de-identified info Yes Yes Yes
HIPAA-protected health info Yes Yes Yes

Who must comply?

CCPA CPRA VCDPA
Private sector Business, service provider Business, service provider, contractor Controller, processor
Jurisdictional threshold “Does business” in California “Does business” in California “Conducts business” in Virginia or produces products or services “targeted” to Virginia residents
Revenue threshold Annual gross revenues greater than $25 million Annual gross revenues greater than $25 million in preceding calendar year None
Processing threshold Data of 50,000 or more consumers Data of 100,000 or more consumers Data of 100,000 or more consumers
Broker threshold At least 50% of revenue from selling of data At least 50% of revenue from selling or sharing data Data of 25,000 or more consumers and at least 50% of revenue from sale of data

Who is exempt?

CCPA CPRA VCDPA
Public sector Yes Yes Yes
Nonprofits Yes Yes Yes
GLBA financial institutions No No Yes
HIPAA-covered entities Yes Yes Yes
HIPAA business associates Yes Yes Yes
Higher education institutions No No Yes

Navigate state consumer data privacy laws with confidence with Bloomberg Law

Save valuable time when you trust Bloomberg Law’s Chart Builder tool to compare consumer data privacy laws across multiple jurisdictions and understand complex regulatory and compliance requirements with ease. Download this page to easily compare elements of the VCDPA with other key state privacy laws.

Our expert analysis, comprehensive coverage, news, and practice tools help you stay on top of the dynamic field of consumer data privacy so you can provide sound counsel to your clients and stakeholders. See it for yourself. Request a demo.

Related Resources

View All

AI and the Legal Profession in 2024

Top