With the California Consumer Privacy Act in 2018 (CCPA), and the California Privacy Rights Act of 2020 (CPRA), California has dared Congress, twice, to pass sorely needed federal privacy legislation. Now Virginia is in on the act. Earlier this month, Governor Northam signed into law the Consumer Data Protection Act (CDPA), making Virginia the second state to pass a comprehensive consumer privacy regulation. The CDPA, has plenty in common with the CCPA (as amended by the CPRA). Slated to begin on January 1, 2023, the same day that the CPRA’s changes take effect in California, the CDPA will be enforced by the Virginia Attorney General. We’ll be posting much more about both laws between now and then, but for now, businesses should understand that Virginia’s CDPA also differs from California’s CCPA in some important ways. Some of the key differences are:
No gross revenue threshold
The CCPA covers, among other types of companies, any for-profit company that does business in California and has annual gross revenues of at least $25 million. The CDPA by contrast, has no revenue threshold. It applies to any company that does business in Virginia and (i) annually collects the personal information of at least 100,000 consumers (Virginia residents), or (ii) annually collects the personal information of at least 25,000 consumers and derives a majority of revenues from sales of personal information.
A narrower definition of “consumer”
The CCPA protects “consumers,” which it defines as “a natural person who is a California resident.” But Virginia defines a “consumer” as a resident “acting only in an individual or household context,” which, critically, “does not include a natural person "acting in a commercial or employment context." (The CCPA currently includes indirect and partial exemptions for employee data and personal information collected through business-to-business interactions, but those exemptions are due to expire on January 1, 2023.)
A clearer definition of “sale” of personal information
One of the most vexing compliance questions under the CCPA has been determining whether a business “sells” personal information. That’s because of the CCPA’s broad definition of sale, which includes making a consumer’s personal information available to a third party “for monetary or other valuable consideration.” Debate continues over whether use of third party analytics and digital advertising tools provided by Facebook, Google and others amounts to a “sale” of website visitors’ personal information to those providers under this definition, which would require the business to offer an opt-out for cookies and online trackers related to those tools.
Virginia sticks to a more traditional concept of “sale,” defining it as “the exchange of personal data for monetary consideration.” The CDPA regulates “targeted advertising” separately, defining it as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” The opt-out right covers both “sales” and “targeted advertising.”
Clearer exemptions for certain types of businesses
The CCPA has been criticized for not including unequivocal exemptions for healthcare providers and financial institutions, which are already subject to industry-specific federal privacy laws. By contrast, the CDPA makes clear that it does not apply to “financial institutions” subject to the Gramm-Leach-Bliley Act or a “covered entity or business associate” governed by HIPAA.
No exceptions to the right of deletion
Unlike the CCPA, the CDPA does not provide any exceptions to a consumer’s right to deletion of their personal information. Barring an amendment, this deletion requirement threatens operational headaches for covered businesses and their service providers who receive deletion requests for data that they have an independent legal obligation or business need to retain.
More states are lining up
What is abundantly clear is that the impending wave of state privacy laws and regulations has both traction and momentum, and may ultimately serve as the basis for federal law at some point in the future. We can expect even more legislation to come as additional states set forth their own, “more improved,” versions.
In fact, more than 15 states have either introduced a data privacy and consumer protection bill or currently have one in committee, including Alabama, Florida, Illinois, Iowa, Kentucky, Minnesota, Mississippi, Nebraska, New Mexico, New York, North Dakota, Oklahoma, Pennsylvania, South Carolina, Utah, Washington state and Wisconsin. As a result, no one version of this legislation can possibly represent the “privacy law panacea” for the foreseeable future.
It is imperative that businesses continuously strive to remain at the forefront of understanding the newest changes, nuances and distinctions in these privacy laws and those to come. Equally important, however, is developing a privacy program rooted in thorough data mapping, a culture of data minimization in product development and service delivery, and a commitment to user-friendly transparency, which will serve as a necessary foundation for complying with the privacy laws of today and tomorrow.