In the absence of comprehensive federal legislation on the topic, states have taken it upon themselves to protect consumer’s information in our increasingly data driven world. On February 5, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“CDPA”). If signed by Governor Northam, CDPA would be the second comprehensive state-level consumer data privacy law in the United States. The California Consumer Privacy Rights Act (“CCPA”) is the only other state law which provides similar comprehensive protections. More states are sure to follow California and Virginia’s lead in the coming years. Regulatory differences between US jurisdictions will lead to compliance headaches for any business that relies on consumer data processing. If the Virginia law is any indication, however, future data privacy laws will likely adopt the consumer rights regime already codified in the trailblazing CCPA. Let’s take a look at Virginia’s CDPA and see what was borrowed from its sister law in California.
How are CDPA and CCPA similar?
The Virginia Bill recognizes many consumer rights first established in the CCPA, including:
- The right to confirm whether a business is processing the consumer’s personal data;
- The right to correct inaccuracies in such data;
- The right to request a business delete personal data;
- The right to obtain a copy of personal data collected in the previous 12 months;
- The right to opt-out of future sale of the data
In order to assert these rights, a consumer must submit an authorized request (AKA a “verifiable consumer request” under CCPA) to the business. Under both acts the business has 45 days from receipt of a request to comply, with the possibility of one additional 45-day extension when reasonably necessary. Responses must be free of charge to the consumer and consumers are allowed up to two requests per year in both jurisdictions. Both acts also adopt antidiscrimination provisions which prevent businesses from discriminating in price, quality, and service where a consumer has asserted their rights under the law.
Virginia’s definition of personal data (“any information that is linked or reasonably linkable to an identified or identifiable natural person”) and California’s definition of personal information (“information that identifies, relates to, or could reasonably be linked with a consumer or household”) are similar enough that each would largely regulate the same categories of data, namely directly identifiable and reasonably identifiable personal data. The text of the California law provides a long, non-exhaustive list of data that meets this definition, while the Virginia General Assembly decided to define personal data in similar terms as California without providing any examples. Both states also exempt de-identified data from regulation. No case law or state regulations have further defined what categories are excluded from this definition, but future developments may see these definitions diverge.
Along with consumer rights and the definition of personal data, the acts contain the following similarities:
· Each only protects natural person residing in their respective states;
· Each excludes regulation for companies already regulated by federal legislation, namely Health Providers and Health Insurers regulated under HIPPA and Financial Institutions regulated under GLBA and FCRA;
· Each includes enforcement provisions administered by the respective state’s Attorney General, with civil penalties of $7,500 for each violation;
· Each creates a Consumer Privacy Fund that earmarks money collected by civil enforcement actions to fund future enforcement;
· Neither requires a business to re-identify de-identified data or maintain identifiable data for the sole purpose of complying with consumer requests
How are CDPA and CCPA different?
While it is clear CCPA provided a model for the Virginia General Assembly, there are several ways that CDPA differs from its predecessor. These subtle distinctions are a great example of why businesses who collect data across jurisdictions must carefully review the compounding nuances of new legislation.
First, both acts establish different criteria for what constitutes a regulated business. CCPA applies to for-profit entities that conduct business in California and meet any one of the following: (1) earns gross annual revenue over $25 million; (2) buys, receives, or sells personal information of 50,000 or more California residents, households, or devices; or (3) derives 50% or more of annual revenues from selling California resident’s personal information. By contrast, if it becomes law, CDPA would use the following criteria for entities that conduct business in Virginia: (1) controls or processes the personal data of at least 100,000 consumers in a calendar year; or (2) controls or processes personal data of at least 25,000 consumers and derives 50% or more of gross annual revenues from the sale of personal data. California’s criteria generally require a stronger nexus to California, whereas Virginia is seeking to employ broader criteria that may include several businesses excluded from California’s regulations.
While most of the consumer rights in CDPA are the same as CCPA, the Virginia Bill contains a more specific opt-out provision. CDPA would allow consumers to opt-out of the sale of data, but also other activities such as targeted advertising and forms of profiling. There is no comparable provision in CCPA. Notably, the Virginia Bill lacks a private right of action. California provides a private right of action to any consumer “whose non encrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft or disclosure,” due to a business’ failure to implement reasonable security measures. With no comparable provision, Virginia residents would have to rely on enforcement through the Virginia Attorney General when a business violates CDPA.
One of CDPA’s starkest differences is the absence of any additional protections for children’s data. CDPA would only require businesses to comply with the federal Children’s Online Privacy Protection Act (“COPPA”) which regulates personal information collected from children under 13. By contrast, CCPA provides additional protections for data collected from children under 16. As discussed in a previous article, CCPA requires businesses to receive “opt-in” consent from children between 13 and 15 and parental consent for children under 13 before data collected form a child is sold to or shared with a third party. The Virginia Bill has no comparable opt-in provision or any special protections for children.
Amendments to the CCPA, known as the California Privacy Rights Act (“CPRA”) established the California Privacy Protection Agency (“CPPA”), a state agency tasked with enforcing and adopting regulations under CCPA. By centralizing enforcement under a dedicated agency, California has signaled that future changes to CCPA compliance will be regulatory rather than legislative. Under the Virginia Bill, the Commonwealth’s Attorney General would have the power to enforce the law, but it is unclear from the text of the bill what regulatory authority, if any, an AG would have.
Both acts require businesses that collect consumer data to provide notice at-or-before the time of collection. However, Virginia’s notice requirements appear to be slightly different from California’s. Both states require notices to describe the purpose for processing personal information, how a consumer may exercise their rights, what data is disclosed to third parties, and who those third parties may be. California requires businesses to disclose all categories of personal information that are “collected” while the Virginia Bill would only require disclosure for categories of personal information that are “processed”. While this is a subtle difference, “collect” and “process” have distinct meanings for the purposes of both acts, indicating that California may impose a slightly higher burden on what categories a business must disclose. Further, California requires the business to disclose the length of time, or an estimate of the length of time, the business intends to retain each category of personal information. Virginia has no comparable provision. Finally, Virginia specifically requires businesses to disclose in their notices whether personal data is sold for targeted advertising. California compliant notices should still disclose this practice, as the notice must address every purpose for which data is collected, but there is no special provision emphasizing the importance of disclosing targeted advertising.
How was CDPA influenced by GDPR? (Data Minimization, Controller/processor distinction, DPIAs)
Finally, CDPA would require businesses to perform data protection assessments that account for implemented administrative, technical, and physical data security practices, similar to the Data Protection Impact Assessment (DPIA) required under the GDPR. Assessments must quantify the risks and benefits associated with specific activities such as processing data for targeted advertising or profiling, selling personal data, and processing sensitive data. State investigators may request these assessments through a civil demand, indicating assessments will be an important aspect of enforcement procedures down the road.
How will new laws impact data privacy compliance?
In terms of consumer rights, the Virginia Bill largely mirrors CCPA with some important additions. Compliance in one state, in most circumstances, will satisfy legal requirements in the other. The subtle differences between these two acts, however, demonstrate why multi-jurisdictional data privacy compliance will continue to be a major issue for consumer data processors in the United States. Differences between jurisdictions may lead companies to simply seek compliance under the “toughest” law. However, neither CCPA nor CDPA should be described as “tougher” across the board. CCPA codifies specific protections for children not found in CDPA. CDPA contains a more nuanced opt-out right. CCPA contains a right of action for consumers who have their data exposed in a data breach. CDPA uses broader criteria to define a regulated business. Neither jurisdiction is necessarily tougher, the rules are simply different. Automated compliance solutions must incorporate these differences as more states adopt their own data privacy laws, otherwise data processing businesses will no longer be able to operate at a national level.
Washington, New York, Minnesota, Maryland, North Dakota, and Oklahoma are all considering their own data privacy bills. Every year more state legislatures are recognizing that companies who collect and process consumer data have a civic responsibility to uphold consumer privacy. As more states adopt comprehensive consumer data protection laws, companies must identify and minimize the consumer data that they own, collect, and process to reduce multi-jurisdictional regulatory risk. Data minimization and privacy by design strategies will reduce these risks and protect companies from costly enforcement actions.