Recently, we blogged that both houses of the General Assembly of Virginia had voted to approve the Consumer Data Privacy Act (“CDPA” or “Virginia Privacy Law”). On March 2, 2021, Virginia Governor Ralph Northam signed the CDPA into law, becoming the second state in the nation (behind only California) to pass comprehensive consumer data privacy legislation. Please note that the Virginia Privacy Law will become effective on January 1, 2023. As such, many businesses that have worked tirelessly to obtain and maintain compliance with the California Consumer Privacy Act (“CCPA”) will soon need to undertake CDPA compliance measures. Although there are many similarities between the two (2) laws, there are also important distinctions worth noting.
How do the CDPA and the CCPA compare?
Virginia Privacy Law Applicability
Prior to working toward CDPA compliance, businesses should first determine whether the Virginia Privacy Law applies to them. The CDPA will apply to people and businesses that “conduct business within [Virginia] or that produce products or services that are targeted to [Virginia] residents” and: 1) “control or process personal data of at least 100,000” Virginians during a calendar year; or 2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.” “Personal data” is defined broadly in the CDPA to include any information that is linked to or could reasonably be linked to an individual, but excludes deidentified or publicly available information. Given the relatively narrow criteria for statute applicability, the good news is that many businesses will likely not hit the thresholds that would require them to comply with CDPA regulations.
CDPA in Comparison to the CCPA
Similar to the CCPA, the CDPA affords consumers the right to access their personal data, correct any inaccuracies, request complete copies of their personal data, and direct companies to delete their personal data. Additionally, consumers have the right to opt out of: 1) the processing of their personal data for targeted advertising; 2) the sale of their personal data; and 3) data profiling.
Unlike the CCPA, the Virginia Privacy Law has received broad support from the technology industry for being comparatively industry friendly. This is due, in large part, to the following distinctions: 1) the CDPA does not provide for a private right of action and bestows exclusive enforcement authority in the Office of the Attorney General; 2) the CDPA is more aligned with Europe’s General Data Protection Regulation (“GDPR”) in that it distinguishes roles between entities as either “controllers” or “processors;” 3) the definition of “sale of personal data” in the CDPA is more narrow than that contained within the CCPA, limiting what is considered a sale to “the exchange of personal data for monetary consideration by the controller to a third party;” and 4) although both the CCPA and CPDA require businesses to obtain permission before collecting “sensitive data” (such as racial or ethnic origin, genetic data and geolocation), the CCPA has a broader definition, including such information as social security numbers, drivers’ license numbers and credit or debit card numbers.
While Virginia may be just the second state of the Union to pass consumer data privacy legislation, there are additional states hoping to follow suit in the coming months. With the specter of having to comply with a piecemeal landscape of state laws, the federal government may decide to enact legislation that will provide businesses with a more uniform set of rules to follow. Until then, businesses should monitor evolving state consumer data privacy law developments and work to become compliant with enacted regulations.
If you need assistance with consumer data privacy compliance, please email us at email@example.com, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.