CDPA, CCPA and CPRA : Key Differences
All About California’s CDPA, CPRA VS CCPA
On March 2, 2021, Governor Ralph Northam signed the Virginia’s Consumer Data Protection Act (CDPA) into law making Virginia the second state to adopt a comprehensive consumer privacy law, after California. It draws heavily from the proposed Washington Privacy Act and brings together concepts from the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). The law is in operation with effect from January 1, 2023.
In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed on November 3, 2020. Most provisions are not operative until Jan. 1, 2023.
What is Virginia CDPA compliance?
The Virginia Consumer Data Protection Act (VCDPA) is a privacy legislation granting Virginia residents specific rights regarding their personal data. While influenced by the California Consumer Privacy Act (CCPA), the VCDPA has distinctive features. It notably contains provisions safeguarding children’s privacy. The enforcement of the VCDPA falls under the purview of the Virginia Attorney General.
What is CPRA (California Privacy Rights Act) Compliance?
The CPRA, or California Privacy Rights Act, is a data privacy law in the state of California, USA. It builds upon the California Consumer Privacy Act (CCPA) and further enhances consumer privacy rights. The CPRA introduces additional requirements and regulations for businesses that handle personal information of California residents. It grants consumers more control over their personal data, imposes stricter rules on data handling practices, and establishes a dedicated agency, the California Privacy Protection Agency (CPPA), to enforce and implement the law. CPRA compliance refers to the measures and actions businesses must take to adhere to the requirements and obligations outlined in the CPRA.
VCDPA, CCPA and CPRA : Key Differences & Similarities
In the ever-evolving landscape of data privacy, businesses need to navigate the intricacies of state-specific regulations, the Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). To help you understand their similarities and differences, we’ve prepared a comparison below. Let’s dive in to unravel the key distinctions among these important data privacy laws. Suppose you’re wondering what CCPA and CPRA entail, how they differ from the VCDPA (CDPA privacy law), and what the CPRA and CDPA requirements encompass. In that case, this comparison will provide clarity on Virginia privacy law vs California Privacy Laws (CCPA and CPRA) and shed light on the nuances between these vital regulations.
CCPA civil penalties can be significant, ranging from $2,500 to $7,500 per violation, emphasizing the California Consumer Privacy Act’s commitment to enforceable consequences for non-compliance with data privacy regulations.
VCDPA, CPRA and CCPA penalties
The VCDPA (Virginia Consumer Data Protection Act), CCPA (California Consumer Privacy Act), and CPRA (California Privacy Rights Act) impose varying penalties for non-compliance with data protection regulations. Each has its own set of consequences, with fines and penalties designed to ensure accountability in handling consumer data. Understanding and adhering to the specific provisions of these privacy acts is crucial to avoid financial penalties and legal repercussions. Refer to the chart below for better understanding.
Similar But in Different Ways
Applicability
Section 59.1-572(A)
CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
– Control or process the personal data of at least 100,000 consumers during a calendar year.
– Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
Section 1798.140(c)
CCPA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one or more of these thresholds:
– Annual gross revenues in excess of $25,000,000.
– Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
– Derives 50% or more of its annual revenues from selling consumers’ personal information
Section 1798.140(d)
CPRA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one of these thresholds:
– Annual gross revenues in excess of $25,000,000 in the preceding calendar year.
– Annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
– Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Enforcement date
January 1, 2023
July 1, 2020
July 1, 2023
Consumer Rights Under CDPA, CCPA, CPRA
Section 59.1-573(A)
- Right to be informed and access
- Right to rectification
- Right to deletion
- Right to portability
- Right to opt-out of targeted advertising, the sale of personal data or profiling.
Section 1798.100 – 1798.125
- Right to Know what personal information is collected.
- Right to Data Portability.
- Right to Delete.
- Right to Access personal information.
- Right to Know if Personal Information is Sold.
- Right to Opt-Out of sale.
- Right against discrimination
Section 1798.105 – 1798.125
- Right to Know what personal information is collected.
- Right to Data Portability.
- Right to Delete.
- Right to rectification.
- Right to Access personal information.
- Right to Know if Personal Information is Sold.
- Right to Opt-Out of sale.
- Right to Limit Use and Disclosure of Sensitive Personal Information.
- Right against discrimination.
Personal Information
Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person. It does not include deidentified data or publicly available information (a separately defined term).
Section 1798.140(o)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.
Section 1798.140(v)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.
CDPA, CCPA, CPRA Obligations
Data Minimization:
Controllers are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
Data Minimization:
Data minimization is not mandated under CCPA.
Data Minimization:
Prohibits a business from retaining a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose.
Controllers are required to maintain reasonable security measures to protect the personal data.
The Private Right of Action provision references a business’s duty to implement and maintain reasonable security procedures and practices.
A business that collects a consumer’s personal information is required to implement reasonable security procedures and practices in accordance with Section 1798.81.5.
Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
Notice at collection, notice of right to opt-out of sale, notice of financial incentive, required notice at collection, notice of right to opt-out, notice of financial incentive.
Notice at collection, notice of right to opt out of sale and sharing, notice regarding sensitive personal information required under certain circumstances, notice of financial incentive.
Controllers are prohibited from processing sensitive data without obtaining the consumer’s consent.
Categories and purposes of sensitive personal information that are collected or used by businesses must be communicated to consumers, at or before the point of collection.
A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information is prohibited from doing so.
Minors
Section 59.1-572(D)
Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) shall be deemed compliant with any obligation to obtain parental consent under this chapter.
Section 59.1-573(A)
A known child’s parent or legal guardian may invoke consumer rights on behalf of the child regarding processing personal data belonging to the known child.
Section 1798.120(c)
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. This right may be referred to as the “right to opt-in.”
Section 1798.120(d)
A business that has not received consent to sell the minor consumer’s personal information shall be prohibited from selling the personal information unless the consumer subsequently provides express authorization.
Section 1798.120(c)
A business shall not sell or share the personal information of consumers if the business has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 and less than 16, or the consumer’s parent or guardian, in the case of consumers who are less than 13, has affirmatively authorized the sale or sharing of the consumer’s personal information.
Section 1798.120(d)
A business that has not received consent to sell or share the minor consumer’s personal information shall be prohibited from selling or sharing the personal information unless the consumer subsequently provides consent.
Penalties
Section 59.1-579 and Section 59.1-580
If the controller or processor fails to cure the alleged violation in 30-day period, the attorney general may initiate an action and seek an injunction and civil penalties of up to $7,500 for each violation.
Section 1798.155(b)
A business, service provider or other person that violates the law is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation, to be assessed and recovered in a civil action brought by the attorney general.
Section 1798.199.90
Any business, service provider, contractor or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation and each violation involving the personal information of minor consumers, to be assessed and recovered in a civil action brought by the attorney general.
Common provisions
1. Responding consumer requests:
- A 45 days’ period to respond to consumer requests.
- This period may be extended once by 45 additional days when reasonably necessary.
- The business must deliver the requested information free of charge.
2. Purpose limitation as major obligation:
- Prohibited collection of additional categories of personal information or use of personal information collected for additional purposes without providing notice.
3. No discrimination against consumers:
- Prohibits businesses from discriminating against consumers for exercising their rights.
4. Right to opt-out of sale:
- Provides consumers with a right to op-out of the sale of their personal information anytime.
5. 30 days period to cure allegation:
- Provides 30 days to cure alleged non-compliance before being in violation of the law.
Compliance with GDPR or CCPA does not assures compliance with Virginia’s CDPA. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.
Resource:
IAPP
FAQs
- CDPA: Virginia Consumer Data Protection Act
- CCPA: California Consumer Privacy Act (original law)
- CPRA: California Privacy Rights Act (amended CCPA)
Each of these regulations shares the common goal of empowering consumers with control over their personal data collected by businesses. They emphasize rights related to access, deletion, opt-out, and protection against discrimination.
- CDPA: Applies to businesses operating in Virginia or processing data of Virginia residents.
- CCPA: Applies to businesses operating in California or processing data of California residents.
- CPRA: Same scope as CCPA, but applies to businesses with annual gross revenue exceeding $25 million.
All three: Right to access, delete, correct, and opt-out of data sale/sharing.
CPRA: Additional rights, including portability, correction right without waiting for verification, and limitation of targeted advertising.
- CDPA: Requires consent for processing sensitive data, including racial, religious, or health information.
- CCPA: Only requires consent for the sale of personal data, not for general collection or processing.
- CPRA: Maintains the CCPA standard for consent, but strengthens opt-out rights and allows consumers to object to data processing for targeted advertising.
- All three: Implement data security measures, provide privacy notices, respond to consumer requests.
- CCPA/CPRA: Additional obligations like conducting data impact assessments, appointing a data protection officer.
- CDPA: No requirement to appoint a data protection officer.
- CDPA: Defines sensitive data more broadly than CCPA and requires consent for its processing.
- CCPA: Defines personal information more broadly than CDPA, including geolocation and browsing history.
- CPRA: Maintains the CCPA definition of personal information but expands protections for sensitive data.
Yes, businesses can comply with all three regulations simultaneously. While some differences exist, they overlap significantly in their core principles and requirements. Most businesses can adapt their practices to comply with both CDPA and CCPA/CPRA if they focus on a robust data privacy framework.
Related Blogs
Data Mapping Requirement for CPRA & CCPA Compliance
Virginia Consumer Data Protection Act – All about CDPA
Difference between CDPA, CCPA, CPRA and CPA
Colorado Privacy Act (CPA)
What is California Consumer Privacy Act?
Key Steps to CCPA Compliance Solution for Your Firm
