California CCPA versus Virginia CDPA

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 13 May 2022.

California CCPA versus Virginia CDPA

California and Virginia are arguably the two states with the toughest data privacy laws, the CCPA and CDPA, respectively. Both laws could affect your business, no matter your location.

While the two laws have broadly similar aims and concepts, they have some key differences that affect how you must comply with each.

Let's explore some of them.

The California Consumer Privacy Act (CCPA) is a state law passed in June 2018 and amended on several occasions up until November 2019. It was broadly based on measures in a ballot initiative that was scheduled for the 2018 mid-term elections (and expected to pass) but withdrawn once the law was created. The law took effect from January 2020 with enforcement beginning in July 2020.

The Consumer Data Protection Act (CDPA) is a Virginia state law passed in March 2021. It will take effect from 1 January 2023. The law uses elements from both California's CCPA and Europe's General Data Protection Regulation (GDPR).

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Scope of Each Law

Scope of Each Law

Both laws target businesses (for-profit organizations) rather than consumers or other groups.

CCPA

The CCPA applies to any business that serves customers in California and meets at least one of three criteria:

  • Annual gross revenue is $25 million or more
  • At least half of annual gross comes from selling personal information about consumers in California, and/or
  • Buys, sells, receives or shares personal data about at least 50,000 consumers, devices or households in California in a one-year period

CDPA

The CDPA applies to any business that processes personal data about more than 100,000 Virginia consumers in a one-year period. This could include collecting or using data as well as buying or selling it.

If the business makes more than half its gross revenue from selling personal data about Virginia consumers, the threshold falls from 100,000 to 25,000.

The CDPA does not cover businesses that are already covered by a federal privacy scheme such as HIPAA for health data.

The CDPA exempts businesses based outside the state that do not "target" Virginia consumers. However, "target" simply means Virginia consumers are among the intended audience; it doesn't mean the business prioritizes the state.

Any business that accepts orders from Virginia consumers must follow the CDPA.

Consumer Rights

Consumer Rights

Both laws establish and protect consumer rights over their personal data. These rights could affect the way a court or regulator interprets the particular measures laid out in the laws.

The following consumer rights are included in both laws:

  • To know what data a company holds or processes about them
  • To access the data
  • To opt out of (and thus stop) the business selling their personal data
  • To demand the business delete their personal data

Both laws say businesses must not discriminate against consumers who exercise these rights, for example by refusing service or charging different prices.

The CCPA also gives consumers the right to know whether a business sells or shares their personal data and, if so, who with.

The CDPA also gives consumers the rights to:

  • Correct inaccuracies in their personal data
  • Get a copy of the personal data in a format they can easily transfer (for example to another business)
  • Opt out of the business using their personal data for targeted advertising
  • Opt out of the business using their personal data for profiling with a legal or other significant effect

Notifications When Collecting Data

Notifications When Collecting Data

CCPA

The CCPA's major requirement is to notify people about the way you use their data. The law sets out 11 categories of data to refer to when making these notifications.

When collecting data, you must say for each category:

  • What data (if any) you collect
  • The purpose for which you use the data
  • Whether you sell or share the data (and if so, who gets it)

You must also publish a statement covering your overall data use (across all people) in the past 12 months. This statement must detail which categories cover data you have collected, data you have sold, and data you have disclosed to a third party.

Lufthansa uses a clear table detailing the categories and the ways it does and does not use personal data in each one:

Lufthansa CCPA Statement: Personal Information Collected chart

CDPA

The CDPA's main notification requirement when collecting data is to give the purpose for which you will use it. You can only use the data for this purpose and you must only collect data that is both relevant and necessary for this purpose.

Dyson uses a drop-down menu to give both an overview of the purposes for which it collects data and then more detail about each:

Dyson How and Why we Use Your Personal Data page - To Provide Products and Services section highlighted

While both laws are a bit different here, they both work to provide transparency to consumers, which you can see in the examples above.

Consent

CCPA

The CCPA is largely about informing consumers about your data processing rather than requiring consent. The main exception is for selling data, where the consent requirements depend on the person's age:

  • If you know the person is aged under 13, you must get parental or guardian consent to sell the data.
  • If you know the person is aged between 13 and 16, you must get their consent to sell the data.
  • If you know the person is 16 or older, you do not need consent to sell their data. However, the person can tell you to stop selling their data. You must have a dedicated web page where they can exercise this right. You must link to this page from your home page using the words "Do Not Sell My Personal Information."

Disney builds this link into its navigation bar so it appears on every page on the site:

Disney website footer with Do Not Sell My Personal Information link highlighted

CDPA

The CDPA requires consent in two key scenarios:

  • When you have previously collected data but now want to use it for a different purpose to the one you stated at the time of collection, and
  • When you want to collect and use data the CDPA defines as sensitive. This include:

    • Data that reveals citizenship, immigration status, a mental or physical health diagnosis, racial or ethnic origin, religious beliefs and sexual orientation
    • Genetic or biometric that identifies someone
    • Data you knowingly collect from a child
    • Precise geolocation data

You do not need prior consent to collect, use or sell personal data that is not classed as sensitive. However, the person can tell you to stop selling their personal data. They can also tell you not to use it for targeted advertising.

Privacy Policies

Privacy Policies

CCPA

The CCPA says you must publish certain information in a document such as a Privacy Policy.

A CCPA-compliant Privacy Policy must include:

  • A list of the consumer rights under the CCPA, and
  • The category-by-category breakdown of the personal data you've collected, sold and disclosed in the past 12 months

Remember the CCPA also says you must give users specific category-by-category details of how you'll collect, use and sell their data at the point you collect it. This could be a custom notice that appears at the collection point. Alternatively, if the details will be the same for all users or customers, you can include the details in your Privacy Policy and link to it at the point you collect the data.

PubMatic includes a list of consumer rights in its CCPA Privacy Policy:

PubMatic CCPA Privacy Policy: California Resident Rights clause

CDPA

The CDPA says you must publish a privacy notice (such as a CDPA-compliant Privacy Policy).

A CDPA-compliant Privacy Policy must include:

  • The categories of data you collect
  • The categories of data you share with third parties (and the categories of third parties involved)
  • The purposes for which you collect data

Unlike the CCPA, the CDPA doesn't set out required categories to use in your Privacy Policy. The key is to be specific enough that people understand how you use their data, but not so detailed that the Privacy Policy becomes too unwieldy to be useful. If you are also covered by the CCPA, you could use the CCPA categories to cover both laws.

The University of Virginia uses logical categories to cover the types of data it collects:

University of Virginia Privacy Policy: Automatically Collected Access Information and Optional Information clauses

Your Privacy Policy must also cover:

  • How people can exercise their rights under the CDPA
  • How they can appeal if they disagree with your decision about exercising their rights
  • Whether you sell personal data to third parties (and if so, how they can opt out)
  • Whether you use their personal data for targeted advertising (and if so, how they can opt out)

Penalties for Non-Compliance

Penalties for Non-Compliance

CCPA

Breaching the CCPA can lead to three types of financial penalty:

  • The state Attorney General can order you to fix a violation. If you don't do so within 30 days, the Attorney General can issue a fine of up to $7,500 per violation
  • Individuals can report violations regarding their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you for civil damages
  • If you don't adequately secure data and you suffer a breach, affected individuals can sue you. A court can order statutory damages of between $100 and $750 per affected individual. However, you'll have to pay the actual damages if the individual can prove they are higher.

CDPA

The Virginia Attorney General enforces the CDPA. They can order you to correct any violation. If you don't do so within 30 days, they can issue a civil penalty (fine) of up to $7,500 for each violation.

Unlike the CCPA, the CDPA doesn't let individuals take legal action over a violation.

Future Changes

Future Changes

CCPA

Following a successful ballot initiative in 2020, the California Privacy Rights Act (CPRA) will take effect in January 2023, with enforcement beginning in July 2023. In practice, the CPRA will replace the CCPA.

The existing requirements will continue, with new ones added, though fewer businesses will be affected. The 50,000 threshold for handling personal data about California consumers or households will increase to 100,000. Devices will no longer count towards this threshold.

The biggest change is a new "sensitive personal information" category to cover data including:

  • Government-issued numbers
  • Financial account details that give access to accounts
  • Biometric and health data
  • Communications with a third party
  • Details about racial origin, ethnic origin, sexual orientation, sex life, religious beliefs or union membership
  • Precise geolocation

Businesses will need to include this category in all notifications (such as data collected, data sold, etc).

Consumers have the right to say you can only use sensitive data to provide goods or services they have requested. This means you can't use it for marketing. You must set up a dedicated web page to exercise this link, with a home page link reading "Limit the Use of My Sensitive Personal Information."

Other changes under the CPRA include:

  • For each category of data you must say how long you will keep the data. If you don't know, you must say how you will decide when to delete it.
  • The opt-out from selling personal data will extend to cover sharing with a third party even without payment.
  • Consumers will have the right to ask you to correct any inaccuracies. If you only operate online, you can give an email address for consumers to exercise this right. If you operate offline as well, you must offer two ways, including a toll-free phone number. (The other way can be the email address.)
  • You must tell consumers if you use any of their data (regardless of category) for automated decision making. They can tell you to stop using it in some more sensitive ways such as profiling their health, location or work performance.

CDPA

At the time of writing, Virginia legislators were considering a range of bills that would change the CDPA. Depending on their support and timescale, these changes could be part of the CDPA when it takes effect in 2023, take effect later on, or be rejected by legislators.

You do not need to take any action now regarding these changes, but it may be worth thinking about if and how you would change your data handling practices if they took effect.

Some of the key proposed changes include:

  • Giving the Attorney General the right to make businesses pay for actual damages caused by a violation
  • Removing demographic data from the sensitive category if it's being used for diversity or outreach purposes
  • Clarifying what happens if an individual asks you to delete data that you have sold or disclosed to a third party

Summary

Let's recap what you need to know about the CCPA and and the CDPA:

  • Both laws cover personal data use by businesses. The CCPA is already in effect, while the CDPA takes effect from 2023.
  • You may fall under the scope of the CCPA based on your annual revenue, how much of your revenue comes from selling personal data about Californians, or the number of Californians whose data you buy or sell.

    • You may fall under the scope of the CDPA based on the number of Virginians whose data you process.
  • Both laws establish and uphold consumer rights including knowing what data you process and opting out of you selling data.

    • The CDPA has more rights including opting out of you using their data for targeted advertising and profiling.
  • The CCPA says you must tell people about what data you collect from them and how you'll use it, plus your overall data use in the past 12 months. It sets out 11 categories to refer to when doing this.

    • The CDPA says you must tell people the specific purpose for which you collect and use their data.
  • The CCPA requires consent ("opt-in") to sell the data of somebody under 16. Those aged 16 and over can opt out of data sales.

    • The CDPA requires consent to use data for a purpose that you didn't state when collecting it. It also requires consent to collect and use data classed as sensitive.
  • Both laws require a Privacy Policy or similar document. The CCPA says you must list the consumer rights under the law and give a category-by-category breakdown of your overall data use in the past 12 months.

    • The CDPA says you must list the types of data you collect, the types of data you share, and the types of recipient, plus details of how to exercise data privacy rights.
  • The CCPA says the California Attorney General can fine you for not fixing a violation. Individuals can sue you if the Attorney General doesn't take action. Individuals can also sue you over a data breach if you didn't adequately secure data.

    • The CDPA says the Virginia Attorney General can fine you for not fixing a violation, but doesn't let individuals take legal action.
  • The CCPA will effectively be replaced by the CPRA in 2023. It narrows the range of affected businesses but adds new requirements. The main one is a new category for sensitive data which you must use when giving information about data use. People can tell you to limit the way you use this data.

    • The CDPA may be amended before it takes effect, for example to cover cases where somebody asks you to delete data that you've passed on to a third party.