Like the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA), the Virginia Consumer Data Protection Act (VCDPA) does not grant a private right of action for alleged violations of its obligations. Rather, enforcement of the VCDPA is the exclusive province of the attorney general (AG) of Virginia.
All Fair Information Practice Principles (FIPPs) state that organizations should be accountable for complying with the measures that give effect to the other principles we've discussed throughout this series (e.g., data quality, purpose specification, use limitation, individual participation, etc.). In this fifth and final installment of our series on the VCDPA, we review the ways in which the VCDPA will be enforced, both inside and outside of court. We also compare Virginia's enforcement mechanisms with California's and give helpful compliance guidance to businesses that will be governed by Virginia's new law.
The following chart compares the Virginia and California laws:
These similarities and differences are explained below.
A. Private Rights of Action
While neither the CCPA [1] nor the VCDPA provide for a private right of action, the statutes differ as the CCPA allows consumers to recover damages if a business' violation of the duty to implement and maintain reasonable security procedures results in a data breach. There is no private right of action under the VCDPA, not even for data breaches.
Also, under the CCPA, consumers must provide a business with a 30-day written notice and cannot sue if the violation is cured during that period. If the violation is not cured during that period, the consumer may recover (1) the greater of actual damages or statutory damages ($100 to $750) per consumer per incident, (2) injunctive or declaratory relief, and (3) any other relief the court deems proper.
B. Government Actions
1. AG Enforcement Authority
Under the CCPA and VCDPA, the AG has exclusive enforcement authority. This will change in California once the CPRA takes effect and creates the California Privacy Protection Agency, a five-member board that has the authority to (1) investigate possible violations of the CPRA upon the sworn complaint of any person or on its own initiative and (2) bring an administrative action to enforce violations. Virginia has no similar enforcement agency.
2. Cure Periods
Although the CCPA currently requires the AG to provide a 30-day cure period before suing, the CPRA removes that requirement and grants the AG discretion whether to provide a cure period. The VCDPA, in contrast, requires the AG to provide a 30-day cure period and bars AG action if a business successfully cures its violation. This cure period effectively limits enforcement in Virginia to alleged violations after the business has had an opportunity to cure. Accordingly, enforcement actions cannot be brought for any violations that are cured during the cure period — regardless of any damage already done.
3. Penalties
Once the CPRA takes effect, the California Privacy Protection Agency or the California AG may recover up to $2,500 for each violation or up to $7,500 for each intentional violation or violations involving the personal information of a minor consumer.
In Virginia, the Virginia AG may recover a civil penalty of up to $7,500 per violation. The Virginia AG may also recover reasonable expenses incurred in investigating and preparing the case, including attorney fees.
C. Implementing Regulations
Another difference involves implementing regulations. The CCPA required the California AG to create implementing regulations. The CPRA requires additional regulations to be adopted by July 1, 2022. [2] The VCDPA, by contrast, does not require any implementing regulations.
D. Retroactivity
A recent opinion from the U.S. District Court for the Northern District of California held that the CCPA does not apply retroactively, meaning it is limited to alleged violations that occurred after January 1, 2020, when it became effective. [3] Because "Virginia law does not favor retroactive application of statutes," and the VCDPA does not contain a "manifest" statement that the legislature intended it to apply retroactively, enforcement should be limited to violations that occur after the statute becomes effective on January 1, 2023. [4]
E. Consumer Privacy Funds
Both California and Virginia created funds in their state treasuries called the "Consumer Privacy Fund."
In California, the Consumer Privacy Fund was created to house the proceeds of any settlement of an action brought pursuant to the CCPA. Funds transferred to the Consumer Privacy Fund are used first to offset any costs incurred by the state courts and the AG in connection with the CCPA, and then 91% invested by the treasurer and 9% to the California Privacy Protection Agency for the purposes of creating grants in California. The California Consumer Privacy Fund was initially funded through the General Fund with $5,000,000 during the fiscal year 2020-2021, and $10,000,000 during each fiscal year thereafter.
The VCDPA created a special non-reverting fund known as the Consumer Privacy Fund that is used to support the work of the Virginia AG to enforce the VCDPA, subject to appropriation. All civil penalties collected under the VCDPA are paid into the state treasury and credited to the fund.
F. Predicted Enforcement Impact
According to the Virginia AG, its enforcement obligations under the VCDPA will require it to spend $330,556 per year to hire a dispute resolution specialist, a consumer protection investigator, and an assistant AG to handle additional individual consumer complaints, and, where deemed appropriate, pursue actions on behalf of those consumers. [5] Although the Virginia AG has stated that it does not expect recoveries from civil penalties to be sufficient to cover these personnel costs, it is unclear if that is simply because enforcement will not be possible until January 1, 2023, or because the office does not expect recoveries to exceed $330,556 after that date. Nevertheless, businesses should not assume that enforcement actions will not be a priority starting in 2023. Businesses should prepare for immediate enforcement and develop strong compliance programs ahead of 2023.
Given the similarities between the CCPA and VCDPA, businesses should keep an eye on the issues that may give rise to enforcement actions under the CCPA as those issues will likely be on the Virginia AG's radar as well. For further information on areas of enforcement likely to catch the California AG's attention, see our California Consumer Privacy Act Enforcement Series, available here.
[1] The CPRA amended the CCPA in 2020. Except where specifically noted, both are referred to collectively as the CCPA hereafter.
[2] The California Privacy Protection Agency can assume authority to issue these regulations by providing the California AG with notice.
[3] Order Granting Motion to Dismiss and Denying Motion to Strike Class Allegations, Gardiner v. Walmart, Inc., No. 4:20-cv-04618 (N.D. Cal. Mar. 5, 2021), ECF No. 43.
[4] Bailey v. Spangler, 289 Va. 353, 358–59 (2015).
[5] https://lis.virginia.gov/cgi-bin/legp604.exe?211+oth+SB1392FES1122+PDF
