CCPA vs. CDPA: Comparing California and Virginia’s data-protection laws
What marketers and data processors need to know about the differences between these laws
Last month, the Consumer Data Protection Act (CDPA) became law in Virginia — although it will not go into effect until 2023. As the latest example of sweeping, comprehensive state data-protection law, CDPA has drawn a lot of rough comparisons among pundits between itself and its Californian cousin — the California Consumer Privacy Act (CCPA).
In fairness, the two have a lot of similarities. They both largely grant consumers rights to obtain, know about, and delete their data — as well as opt out of further processing of their personal data. They both offer a base 30-day cure period to businesses in the event of a violation. And they both require companies to take certain information-security steps.
But there are a lot of differences as well.
A complete, itemized comparison of all of these two laws’ similarities and differences would be voluminous. Nonetheless, below are three of the most significant items of comparison for marketing professionals and data-protection practitioners to start with.
The scope of the laws
Similarity: Both laws apply to most for-profit businesses as based, in some manner, on revenue and/or handling of their respective residents’ data.
Difference: Huge. California probably reaches further than Virginia does here.
California’s CCPA applies to any for-profit business (subject to federal-premption limitations) that meet one of the following three requirements:
- It has over $25 million in statutorily adjusted gross annual revenues (regardless of revenue source); OR
- It gets at least 50% of its annual revenue from selling California consumers’ personal data (regardless of revenue amount); OR
- It buys, sells, receives for commercial purposes, and/or shares for commercial purposes, “alone or in combination, the personal information of 50,000 or more [natural persons who are California residents], households, or devices” in a year.
(That “devices” inclusion is a big one in the IoT age.)
In Virginia, meanwhile, CDPA applies to two narrower categories of for-profit businesses (again, subject to federal-preemption exclusions):
- The business controls or processes the personal data of at least 25,000 Virginia consumers in a calendar year AND get more than 50% of its gross revenue from the sale of personal data; OR
- The business controls or processes at least 100,000 Virginia consumers’ personal data in a calendar year (regardless of revenue).
Some additional quirks: California has a “right-to-repair” exemption for data-sharing built into CCPA. Virginia, meanwhile, exempts in-state postsecondary schools (even for-profit ones) from CDPA’s requirements.
Both states also have carveouts protecting data processing in the employer and benefits-administrator contexts, as well as for “emergency contact” purposes.
Public availability exception
Similarity: Both CCPA and CDPA have “publicly available information” exceptions.
Difference: CCPA strictly limits what qualifies as “publicly available information”; CDPA defines “publicly available information” extremely broadly.
Both laws protect personal data, but exclude from their respective definitions thereof “publicly available information”. If it’s public, it’s not personal.
When Virginia says “publicly available information,” it means it — and then some. This MarTech Today article covers the topic more fully, but to oversimplify: If a layperson could reasonably consider it “publicly available information”, then it probably is so under CDPA, as long as the information was made public “lawfully”.
Californians, on the other hand, aren’t playing around here. Under CCPA, “publicly available information” only includes that information which is “lawfully made available from federal, state, or local government records.”
And CCPA is even more protective than that. To further protect consumers in the age of ubiquitous data-scraping and facial recognition outsourced to government contractors, California goes yet further with this additional language: “‘Publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.”
Severity of penalties
Similarity: Maximum penalty of $7,500 per violation.
Difference: But not really. CDPA penalties can be more severe.
Bonus Difference: CCPA explicitly allows some private rights of action; CDPA does not.
Except: Both may implicitly allow related private rights of action.
This: Is a tad convoluted, yes.
Both CCPA and CDPA provide for a maximum penalty of $7,500 per violation — in general.
CDPA extends this by specifically allowing recovery of investigative costs and attorneys’ fees by the Virginia Attorney General’s Office. CCPA appears to have no such specific provision.
Moreover, CCPA’s $7,500 max applies only to intentional violations of the law. CCPA violations made merely knowingly (without intention), recklessly, or negligently carry a maximum penalty of only $2,500 per — one third the penalty of an intentional violation.
This is potentially made up for, however, by CCPA’s allowance of private rights of action by consumers — but only for certain violations related to data breaches of a consumer’s “nonencrypted or nonredacted personal information”, and only subject to approval by the California Attorney General. While both laws primarily concern themselves with enforcement by their respective state attorney general’s office (or, in the case of CCPA, other law enforcement bodies), CCPA specifically outlines circumstances under which a private individual may bring their own lawsuit against a putative violator.
Under such a claim, a victorious individual CCPA plaintiff can recover anywhere from $100 to $750 (or, perhaps, even greater than $750 if the plaintiff can prove actual damages beyond that amount) per incident (as opposed to the much stricter “per violation” standard for government-brought actions) — along with declaratory or injunctive relief (“Hey! Stop this. Don’t do it again. Be good.”), and the ever-present catch-all of “any other relief the court deems just and proper”.
Compare Virginia’s CDPA, which bars private rights of action under CDPA, period.
Further, both laws have language that they cannot be used as the basis for a private right of action under any other law — but that hasn’t stopped California plaintiffs from working to bring separate lawsuits for violations of various consumer-protection laws with some basis on CCPA provisions. It remains to be seen if Virginia consumers will respond to CDPA similarly.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney authorized to practice in your jurisdiction.)