Virginia Governor Signs Comprehensive Data Privacy Law
Image Credit: Kjrstie from Pixabay.
Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.
California Consumer Privacy Act (CCPA) | California Privacy Rights Act (CPRA) | Virginia Consumer Data Protection Act (VCDPA) | |
Date of effect | January 1, 2020 | January 1, 2023 | January 1, 2023 |
Law applies to | A “business” that meets at least one threshold below: • Generates over $25M in annual gross revenue; • Handles the records of at least 50,000 California consumers; or • Generates over 50% in annual revenue from sales of consumer data | Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000. | Applies to businesses that • Handles the records of at least 100,000 Virginia consumers; or • Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data |
Definition of personal data | Any information that could be associated or linked with a particular consumer or household. | Same as CCPA, except that there is a reasonableness element: Any information that could be reasonably associated or linked with a particular consumer or household. | Limited to particular consumers. “Any information that is linked or reasonably linkable to an identified or identifiable natural person” |
Definition of sensitive personal data | Does not define sensitive personal data. | Defines sensitive personal data to include: • Social security number • Driver’s license number • Account log-in, debit, or credit card number in combination with password or PIN • Precise geolocation • Racial/ethnic origins • Religious or philosophical beliefs • Union membership • Contents of e-mails or texts to others • Genetic/biometric data • Health information • Sex life/sexual orientation data | Defines sensitive personal data to include: • Racial/ethnic origins • Religious beliefs • Mental or physical health diagnosis • Sexual orientation • Citizenship/ immigration status • Genetic/biometric data • Children’s data • Precise geolocation |
Consumer rights | • Access • Deletion • Non-Discrimination • Opt-out of: o Sale of personal data | Same as CCPA, with the addition of rights to: • Correct personal information • Limit the use of sensitive personal information | • Access • Correction • Deletion • Port • Opt-out of: o Targeted advertising o Sale of personal data o Profiling in furtherance of decisions that produce legal effects |
Data Privacy Impact Assessments | No requirement to conduct or document. | No requirement to conduct or document. | Controllers must conduct and document data protection assessments for the following activities: • Targeted advertising • Sale of personal data • Profiling • Sensitive data • Catch-all: any data that presents a “heightened risk of harm to consumers.” |
Data Protection Authority | California Office of the Attorney General | $10 million allocated per year to the California Privacy Protection Agency (CPPA). Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA. | Virginia Office of the Attorney General |
Cure Provision | 30 days to cure upon written notice of a violation by the California Attorney General’s office. | Ability to cure removed from CPRA. | 30 days to cure upon written notice of a violation by Virginia Attorney General’s office. |
Enforcement | Administrative fines ranging from $2,500 per violation to $7,500 for intentional violations. | Administrative fines of $7,500 now includes intentional violations and children’s data violations. | Administrative fines of $7,500 per violation. |
Private Right of Action | Consumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information. | Same as CCPA. | Consumers do NOT have a private right of action. |