California CCPA (CPRA) versus Virginia CDPA

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 March 2023.

California CCPA (CPRA) versus Virginia CDPA

California and Virginia are arguably the two states with the toughest data privacy laws, the CCPA (CPRA) and the CDPA, respectively. Both laws could affect your business, no matter your location.

While the two laws have broadly similar aims and concepts, they have some key differences that affect how you must comply with each.

Let's explore some of them.

The California Consumer Privacy Act (CCPA) is a state law passed in June 2018 and amended on several occasions, including the most recent CPRA amendment. It was broadly based on measures in a ballot initiative that was scheduled for the 2018 mid-term elections (and expected to pass) but withdrawn once the law was created. The law took effect from January 2020 with enforcement beginning in July 2020.

The Consumer Data Protection Act (CDPA) is a Virginia state law passed in March 2021. It will take effect from 1 January 2023. The law uses elements from both California's CCPA and Europe's General Data Protection Regulation (GDPR).

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Scope of Each Law

Scope of Each Law

Both laws target businesses (for-profit organizations) rather than consumers or other groups.

CCPA (CPRA)

The CCPA (CPRA) applies to any business that serves customers in California and meets at least one of three criteria:

  • Annual gross revenue is $25 million or more
  • At least half of annual gross comes from selling or sharing personal information about consumers in California, or
  • Buys, sells, receives or shares personal data about at least 100,000 consumers or households in California in a one-year period

CDPA

The CDPA applies to any business that processes personal data about more than 100,000 Virginia consumers in a one-year period. This could include collecting or using data as well as buying or selling it.

If the business makes more than half its gross revenue from selling personal data about Virginia consumers, the threshold falls from 100,000 to 25,000.

The CDPA does not cover businesses that are already covered by a federal privacy scheme such as HIPAA for health data.

The CDPA exempts businesses based outside the state that do not "target" Virginia consumers. However, "target" simply means Virginia consumers are among the intended audience; it doesn't mean the business prioritizes the state.

Any business that accepts orders from Virginia consumers must follow the CDPA.

Consumer Rights

Consumer Rights

Both laws establish and protect consumer rights over their personal data. These rights could affect the way a court or regulator interprets the particular measures laid out in the laws.

The following consumer rights are included in both laws:

  • To know what data a company holds or processes about them
  • To access the data
  • To opt out of (and thus stop) the business selling their personal data
  • To demand the business delete their personal data

Both laws say businesses must not discriminate against consumers who exercise these rights, for example by refusing service or charging different prices.

The CCPA (CPRA) also gives consumers the right to know whether a business sells or shares their personal data and, if so, who with.

The CDPA also gives consumers the rights to:

  • Correct inaccuracies in their personal data
  • Get a copy of the personal data in a format they can easily transfer (for example to another business)
  • Opt out of the business using their personal data for targeted advertising
  • Opt out of the business using their personal data for profiling with a legal or other significant effect

Notifications When Collecting Data

Notifications When Collecting Data

CCPA (CPRA)

The CCPA/CPRA's major requirement is to notify people about the way you use their data. The law sets out a number of categories of data to refer to when making these notifications.

When collecting data, you must say for each category:

  • What data (if any) you collect
  • The purpose for which you use the data
  • Whether you sell or share the data (and if so, who gets it)

You must also publish a statement covering your overall data use (across all people) in the past 12 months. This statement must detail which categories cover data you have collected, data you have sold, and data you have disclosed to a third party.

Lufthansa uses a clear table detailing the categories and the ways it does and does not use personal data in each one:

Lufthansa CCPA Statement: Personal Information Collected chart

CDPA

The CDPA's main notification requirement when collecting data is to give the purpose for which you will use it. You can only use the data for this purpose and you must only collect data that is both relevant and necessary for this purpose.

Dyson uses a drop-down menu to give both an overview of the purposes for which it collects data and then more detail about each:

Dyson How and Why we Use Your Personal Data page - To Provide Products and Services section highlighted

While both laws are a bit different here, they both work to provide transparency to consumers, which you can see in the examples above.

Consent

CCPA (CPRA)

The CCPA (CPRA) seems to focus more on informing consumers about your data processing rather than requiring consent. The main exception is for selling data, where the consent requirements depend on the person's age:

  • If you know the person is aged under 13, you must get parental or guardian consent to sell the data.
  • If you know the person is aged between 13 and 16, you must get their consent to sell the data.
  • If you know the person is 16 or older, you need consent to use their data for any new purposes.

You must also get consent before enrolling anyone in a financial incentive program, such as a rewards club.

Even after consent is given, the person can tell you to stop selling their data. You must have a dedicated web page where they can exercise this right. You must link to this page from your home page using the words "Do Not Sell My Personal Information."

Disney builds this link into its navigation bar so it appears on every page on the site:

Disney website footer with Do Not Sell My Personal Information link highlighted

CDPA

The CDPA requires consent in two key scenarios:

  • When you have previously collected data but now want to use it for a different purpose to the one you stated at the time of collection, and
  • When you want to collect and use data the CDPA defines as sensitive. This include:

    • Data that reveals citizenship, immigration status, a mental or physical health diagnosis, racial or ethnic origin, religious beliefs and sexual orientation
    • Genetic or biometric that identifies someone
    • Data you knowingly collect from a child
    • Precise geolocation data

You do not need prior consent to collect, use or sell personal data that is not classed as sensitive. However, the person can tell you to stop selling their personal data. They can also tell you not to use it for targeted advertising.

Privacy Policies

Privacy Policies

CCPA (CPRA)

The CCPA (CPRA) says you must publish certain information in a document such as a Privacy Policy.

A CCPA/CPRA-compliant Privacy Policy must include:

  • A list of the consumer rights under the CCPA (CPRA), and
  • The category-by-category breakdown of the personal data you've collected, sold and disclosed in the past 12 months

Remember the CCPA (CPRA) also says you must give users specific category-by-category details of how you'll collect, use and sell their data at the point you collect it. You also need to disclose how long you plan to keep the data.

This could be a custom notice that appears at the collection point. Alternatively, if the details will be the same for all users or customers, you can include the details in your Privacy Policy and link to it at the point you collect the data.

PubMatic includes a list of consumer rights in its CCPA Privacy Policy:

PubMatic CCPA Privacy Policy: California Resident Rights clause

CDPA

The CDPA says you must publish a privacy notice (such as a CDPA-compliant Privacy Policy).

A CDPA-compliant Privacy Policy must include:

  • The categories of data you collect
  • The categories of data you share with third parties (and the categories of third parties involved)
  • The purposes for which you collect data

Unlike the CCPA (CPRA), the CDPA doesn't set out required categories to use in your Privacy Policy. The key is to be specific enough that people understand how you use their data, but not so detailed that the Privacy Policy becomes too unwieldy to be useful. If you are also covered by the CCPA (CPRA), you could use the CCPA (CPRA) categories to cover both laws.

The University of Virginia uses logical categories to cover the types of data it collects:

University of Virginia Privacy Policy: Automatically Collected Access Information and Optional Information clauses

Your Privacy Policy must also cover:

  • How people can exercise their rights under the CDPA
  • How they can appeal if they disagree with your decision about exercising their rights
  • Whether you sell personal data to third parties (and if so, how they can opt out)
  • Whether you use their personal data for targeted advertising (and if so, how they can opt out)

Penalties for Non-Compliance

Penalties for Non-Compliance

CCPA (CPRA)

Breaching the CCPA (CPRA) can lead to three types of financial penalty:

  • The state Attorney General can order you to fix a violation. If you don't do so within 30 days, the Attorney General can issue a fine of up to $7,500 per violation
  • Individuals can report violations regarding their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you for civil damages
  • If you don't adequately secure data and you suffer a breach, affected individuals can sue you. A court can order statutory damages of between $100 and $750 per affected individual. However, you'll have to pay the actual damages if the individual can prove they are higher.

CDPA

The Virginia Attorney General enforces the CDPA. They can order you to correct any violation. If you don't do so within 30 days, they can issue a civil penalty (fine) of up to $7,500 for each violation.

Unlike the CCPA (CPRA), the CDPA doesn't let individuals take legal action over a violation.

Summary

Let's recap what you need to know about the CCPA (CPRA) and and the CDPA:

  • Both laws cover personal data use by businesses.
  • You may fall under the scope of the CCPA (CPRA) based on your annual revenue, how much of your revenue comes from selling personal data about Californians, or the number of Californians whose data you buy or sell.

    • You may fall under the scope of the CDPA based on the number of Virginians whose data you process.
  • Both laws establish and uphold consumer rights including knowing what data you process and opting out of you selling data.

    • The CDPA has more rights including opting out of you using their data for targeted advertising and profiling.
  • The CCPA (CPRA) says you must tell people about what data you collect from them and how you'll use it, plus your overall data use in the past 12 months. It sets out specific categories to refer to when doing this.

    • The CDPA says you must tell people the specific purpose for which you collect and use their data.
  • Both laws require a Privacy Policy or similar document. The CCPA (CPRA) says you must list the consumer rights under the law and give a category-by-category breakdown of your overall data use in the past 12 months.

    • The CDPA says you must list the types of data you collect, the types of data you share, and the types of recipient, plus details of how to exercise data privacy rights.
  • The CCPA (CPRA) says the California Attorney General can fine you for not fixing a violation. Individuals can sue you if the Attorney General doesn't take action. Individuals can also sue you over a data breach if you didn't adequately secure data.

    • The CDPA says the Virginia Attorney General can fine you for not fixing a violation, but doesn't let individuals take legal action.