Data privacy laws are growing in number—in 2023 alone, four new state laws are taking effect—but their general approach to the issue is pretty similar. They require organizations to be transparent about how they use personal data, and give consumers more control by granting them new privacy rights. In fact, they are so similar that it can be difficult to keep track of the differences.
Such is the case with the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA). They share many similarities, but this masks some very important differences that significantly affect compliance. Here we’ll highlight the most important ways that the two laws differ from each other.
Among the U.S. data privacy laws, the CCPA is alone in applying to personal data from not only consumers, but employees, job applicants, and B2B contacts as well. When it was originally passed, the CCPA had a temporary exemption for this data, which the state kept extending. That changed on January 1, 2023, when the exemption finally expired without further extensions.
Employee data in particular presents a challenge for businesses; they not only have to map this data separately, they also have to determine how to respond to privacy requests such as to access or delete their personal data.
Virginia, on the other hand, permanently exempts any data collected in an employment or commercial context.
Both the California and Virginia laws give consumers the right to opt out of the sale of their personal data (as well as targeted advertising), but they define “sale” in subtly different ways. The VCDPA defines a sale as the exchange of personal data for monetary consideration (i.e., money), while the CCPA defines it as making personal information available for monetary “or other valuable consideration.”
It’s a small difference with big implications. Most businesses that have to comply with the CCPA don’t trade personal information for money, but the California definition doesn’t require money to change hands. Receiving free or discounted access to a product or service (such as software like Google Analytics) in exchange for access to data about your customers would count as a sale, and this is a much more common practice. Any business that sells data in this way has to create a process that allows consumers to opt out.
Switching things up, here’s an example where the VCDPA imposes a higher burden than the CCPA. The Virginia law requires businesses to conduct data protection assessments when processing personal data for any of the following purposes:
A data protection assessment must weigh the benefits of the processing against the potential risks to consumers, and consider the use of safeguards to reduce those risks.
The CCPA does not currently require data protection assessments, though it does give the California Privacy Protection Agency the authority to require a regular “risk assessment” from businesses whose data processing activities present a significant risk to consumers’ privacy or security. The CPPA has not yet drafted those rules, but is expected to do so in the near future.
This is another area where the VCDPA has added a new requirement to the privacy compliance landscape. Anytime a business refuses to take action on all or part of a consumer’s privacy request (for example, claiming that certain data is exempt from deletion), it must provide the consumer with a way to appeal that decision.
The law does not provide much detail on what the appeals process must look like, but it’s probably a good idea to have the decision reviewed by a second person. The business must also explain any actions taken or not taken in response to the appeal, and, if it still denies the request, provide a way to contact the Virginia Attorney General’s Office.
The CCPA contains no such appeal requirement, though businesses are required to provide an explanation if they deny a privacy request.
When a law creates a private right of action, it means that private citizens may sue anyone who violates that law, assuming the plaintiff has suffered some injury as a result of the violation. The VCDPA does not create a private right of action, and can only be enforced by the Virginia Attorney General. Therefore, if a Virginian’s privacy rights are violated, their only recourse is to make a complaint to the AG’s Office.
The CCPA takes a slightly different approach. It does not create a general private right of action over any violation, but does allow consumers to sue businesses if their personal information is compromised due to a security breach. In that case, each consumer can recover up to $750 per incident, without having to prove actual damages. This creates an obvious potential for class action lawsuits, so businesses are strongly encouraged to create and maintain strong security practices.
Multi-jurisdictional privacy compliance is complicated. You must take advantage of the various laws’ similarities in order to avoid duplicating work, while also accounting for the subtle differences that may escape someone who does not have a legal background.
TrueVault US makes it easy for any business to comply simultaneously with the CCPA, the VCDPA, and other similar state privacy laws, without the need for expensive legal fees or even an in-house privacy expert. Through our guided software experience, the information you provide is applied automatically across all of the various laws, with state-specific questions that fill in any gaps in the requirements. Within days or even hours, you can get your business compliant and be ready to respond to privacy requests.
To learn more about TrueVault US, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.