Data privacy laws are growing in number—in 2023 alone, four new state laws are taking effect—but their general approach to the issue is pretty similar. They require organizations to be transparent about how they use personal data, and give consumers more control by granting them new privacy rights. In fact, they are so similar that it can be difficult to keep track of the differences.
Such is the case with the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA). They share many similarities, but this masks some very important differences that significantly affect compliance. Here we’ll highlight the most important ways that the two laws differ from each other.
Among the U.S. data privacy laws, the CCPA is alone in applying to personal data from not only consumers, but employees, job applicants, and B2B contacts as well. When it was originally passed, the CCPA had a temporary exemption for this data, which the state kept extending. That changed on January 1, 2023, when the exemption finally expired without further extensions.
Employee data in particular presents a challenge for businesses; they not only have to map this data separately, they also have to determine how to respond to privacy requests such as to access or delete their personal data.
Virginia, on the other hand, permanently exempts any data collected in an employment or commercial context.
Both the California and Virginia laws give consumers the right to opt out of the sale of their personal data (as well as targeted advertising), but they define “sale” in subtly different ways. The VCDPA defines a sale as the exchange of personal data for monetary consideration (i.e., money), while the CCPA defines it as making personal information available for monetary “or other valuable consideration.”
It’s a small difference with big implications. Most businesses that have to comply with the CCPA don’t trade personal information for money, but the California definition doesn’t require money to change hands. Receiving free or discounted access to a product or service (such as software like Google Analytics) in exchange for access to data about your customers would count as a sale, and this is a much more common practice. Any business that sells data in this way has to create a process that allows consumers to opt out.
Switching things up, here’s an example where the VCDPA imposes a higher burden than the CCPA. The Virginia law requires businesses to conduct data protection assessments when processing personal data for any of the following purposes:
A data protection assessment must weigh the benefits of the processing against the potential risks to consumers, and consider the use of safeguards to reduce those risks.
The CCPA does not currently require data protection assessments, though it does give the California Privacy Protection Agency the authority to require a regular “risk assessment” from businesses whose data processing activities present a significant risk to consumers’ privacy or security. The CPPA has not yet drafted those rules, but is expected to do so in the near future.
This is another area where the VCDPA has added a new requirement to the privacy compliance landscape. Anytime a business refuses to take action on all or part of a consumer’s privacy request (for example, claiming that certain data is exempt from deletion), it must provide the consumer with a way to appeal that decision.
The law does not provide much detail on what the appeals process must look like, but it’s probably a good idea to have the decision reviewed by a second person. The business must also explain any actions taken or not taken in response to the appeal, and, if it still denies the request, provide a way to contact the Virginia Attorney General’s Office.
The CCPA contains no such appeal requirement, though businesses are required to provide an explanation if they deny a privacy request.
When a law creates a private right of action, it means that private citizens may sue anyone who violates that law, assuming the plaintiff has suffered some injury as a result of the violation. The VCDPA does not create a private right of action, and can only be enforced by the Virginia Attorney General. Therefore, if a Virginian’s privacy rights are violated, their only recourse is to make a complaint to the AG’s Office.
The CCPA takes a slightly different approach. It does not create a general private right of action over any violation, but does allow consumers to sue businesses if their personal information is compromised due to a security breach. In that case, each consumer can recover up to $750 per incident, without having to prove actual damages. This creates an obvious potential for class action lawsuits, so businesses are strongly encouraged to create and maintain strong security practices.
Multi-jurisdictional privacy compliance is complicated. You must take advantage of the various laws’ similarities in order to avoid duplicating work, while also accounting for the subtle differences that may escape someone who does not have a legal background.
TrueVault US makes it easy for any business to comply simultaneously with the CCPA, the VCDPA, and other similar state privacy laws, without the need for expensive legal fees or even an in-house privacy expert. Through our guided software experience, the information you provide is applied automatically across all of the various laws, with state-specific questions that fill in any gaps in the requirements. Within days or even hours, you can get your business compliant and be ready to respond to privacy requests.
To learn more about TrueVault US, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice