California and Virginia are arguably the two states with the toughest data privacy laws, the CCPA (CPRA) and the CDPA, respectively. Both laws could affect your business, no matter your location.
While the two laws have broadly similar aims and concepts, they have some key differences that affect how you must comply with each.
Let's explore some of them.
The California Consumer Privacy Act (CCPA) is a state law passed in June 2018 and amended on several occasions, including the most recent CPRA amendment. It was broadly based on measures in a ballot initiative that was scheduled for the 2018 mid-term elections (and expected to pass) but withdrawn once the law was created. The law took effect from January 2020 with enforcement beginning in July 2020.
The Consumer Data Protection Act (CDPA) is a Virginia state law passed in March 2021. It will take effect from 1 January 2023. The law uses elements from both California's CCPA and Europe's General Data Protection Regulation (GDPR).
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Scope of Each Law
Both laws target businesses (for-profit organizations) rather than consumers or other groups.
The CCPA (CPRA) applies to any business that serves customers in California and meets at least one of three criteria:
- Annual gross revenue is $25 million or more
- At least half of annual gross comes from selling or sharing personal information about consumers in California, or
- Buys, sells, receives or shares personal data about at least 100,000 consumers or households in California in a one-year period
The CDPA applies to any business that processes personal data about more than 100,000 Virginia consumers in a one-year period. This could include collecting or using data as well as buying or selling it.
If the business makes more than half its gross revenue from selling personal data about Virginia consumers, the threshold falls from 100,000 to 25,000.
The CDPA does not cover businesses that are already covered by a federal privacy scheme such as HIPAA for health data.
The CDPA exempts businesses based outside the state that do not "target" Virginia consumers. However, "target" simply means Virginia consumers are among the intended audience; it doesn't mean the business prioritizes the state.
Any business that accepts orders from Virginia consumers must follow the CDPA.
Both laws establish and protect consumer rights over their personal data. These rights could affect the way a court or regulator interprets the particular measures laid out in the laws.
The following consumer rights are included in both laws:
- To know what data a company holds or processes about them
- To access the data
- To opt out of (and thus stop) the business selling their personal data
- To demand the business delete their personal data
Both laws say businesses must not discriminate against consumers who exercise these rights, for example by refusing service or charging different prices.
The CCPA (CPRA) also gives consumers the right to know whether a business sells or shares their personal data and, if so, who with.
The CDPA also gives consumers the rights to:
- Correct inaccuracies in their personal data
- Get a copy of the personal data in a format they can easily transfer (for example to another business)
- Opt out of the business using their personal data for targeted advertising
- Opt out of the business using their personal data for profiling with a legal or other significant effect
Notifications When Collecting Data
The CCPA/CPRA's major requirement is to notify people about the way you use their data. The law sets out a number of categories of data to refer to when making these notifications.
When collecting data, you must say for each category:
- What data (if any) you collect
- The purpose for which you use the data
- Whether you sell or share the data (and if so, who gets it)
You must also publish a statement covering your overall data use (across all people) in the past 12 months. This statement must detail which categories cover data you have collected, data you have sold, and data you have disclosed to a third party.
Lufthansa uses a clear table detailing the categories and the ways it does and does not use personal data in each one:
The CDPA's main notification requirement when collecting data is to give the purpose for which you will use it. You can only use the data for this purpose and you must only collect data that is both relevant and necessary for this purpose.
Dyson uses a drop-down menu to give both an overview of the purposes for which it collects data and then more detail about each:
While both laws are a bit different here, they both work to provide transparency to consumers, which you can see in the examples above.
The CCPA (CPRA) seems to focus more on informing consumers about your data processing rather than requiring consent. The main exception is for selling data, where the consent requirements depend on the person's age:
- If you know the person is aged under 13, you must get parental or guardian consent to sell the data.
- If you know the person is aged between 13 and 16, you must get their consent to sell the data.
- If you know the person is 16 or older, you need consent to use their data for any new purposes.
You must also get consent before enrolling anyone in a financial incentive program, such as a rewards club.
Even after consent is given, the person can tell you to stop selling their data. You must have a dedicated web page where they can exercise this right. You must link to this page from your home page using the words "Do Not Sell My Personal Information."
Disney builds this link into its navigation bar so it appears on every page on the site:
The CDPA requires consent in two key scenarios:
- When you have previously collected data but now want to use it for a different purpose to the one you stated at the time of collection, and
When you want to collect and use data the CDPA defines as sensitive. This include:
- Data that reveals citizenship, immigration status, a mental or physical health diagnosis, racial or ethnic origin, religious beliefs and sexual orientation
- Genetic or biometric that identifies someone
- Data you knowingly collect from a child
- Precise geolocation data
You do not need prior consent to collect, use or sell personal data that is not classed as sensitive. However, the person can tell you to stop selling their personal data. They can also tell you not to use it for targeted advertising.
- A list of the consumer rights under the CCPA (CPRA), and
- The category-by-category breakdown of the personal data you've collected, sold and disclosed in the past 12 months
Remember the CCPA (CPRA) also says you must give users specific category-by-category details of how you'll collect, use and sell their data at the point you collect it. You also need to disclose how long you plan to keep the data.
- The categories of data you collect
- The categories of data you share with third parties (and the categories of third parties involved)
- The purposes for which you collect data
The University of Virginia uses logical categories to cover the types of data it collects:
- How people can exercise their rights under the CDPA
- How they can appeal if they disagree with your decision about exercising their rights
- Whether you sell personal data to third parties (and if so, how they can opt out)
- Whether you use their personal data for targeted advertising (and if so, how they can opt out)
Penalties for Non-Compliance
Breaching the CCPA (CPRA) can lead to three types of financial penalty:
- The state Attorney General can order you to fix a violation. If you don't do so within 30 days, the Attorney General can issue a fine of up to $7,500 per violation
- Individuals can report violations regarding their personal data to the Attorney General. If the Attorney General doesn't take action, the individual can sue you for civil damages
- If you don't adequately secure data and you suffer a breach, affected individuals can sue you. A court can order statutory damages of between $100 and $750 per affected individual. However, you'll have to pay the actual damages if the individual can prove they are higher.
The Virginia Attorney General enforces the CDPA. They can order you to correct any violation. If you don't do so within 30 days, they can issue a civil penalty (fine) of up to $7,500 for each violation.
Unlike the CCPA (CPRA), the CDPA doesn't let individuals take legal action over a violation.
Let's recap what you need to know about the CCPA (CPRA) and and the CDPA:
- Both laws cover personal data use by businesses.
You may fall under the scope of the CCPA (CPRA) based on your annual revenue, how much of your revenue comes from selling personal data about Californians, or the number of Californians whose data you buy or sell.
- You may fall under the scope of the CDPA based on the number of Virginians whose data you process.
Both laws establish and uphold consumer rights including knowing what data you process and opting out of you selling data.
- The CDPA has more rights including opting out of you using their data for targeted advertising and profiling.
The CCPA (CPRA) says you must tell people about what data you collect from them and how you'll use it, plus your overall data use in the past 12 months. It sets out specific categories to refer to when doing this.
- The CDPA says you must tell people the specific purpose for which you collect and use their data.
- The CDPA says you must list the types of data you collect, the types of data you share, and the types of recipient, plus details of how to exercise data privacy rights.
The CCPA (CPRA) says the California Attorney General can fine you for not fixing a violation. Individuals can sue you if the Attorney General doesn't take action. Individuals can also sue you over a data breach if you didn't adequately secure data.
- The CDPA says the Virginia Attorney General can fine you for not fixing a violation, but doesn't let individuals take legal action.