Image of virginia state and shield. Virginia has a new data privacy law.

Virginia Governor Signs Comprehensive Data Privacy Law

Image Credit: Kjrstie from Pixabay.

Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.

California Consumer Privacy Act
(CCPA)
California Privacy Rights Act
(CPRA)
Virginia Consumer Data Protection Act
(VCDPA)
Date of effectJanuary 1, 2020January 1, 2023January 1, 2023
Law applies toA “business” that meets at least one threshold below:
• Generates over $25M in annual gross revenue;
• Handles the records of at least 50,000 California consumers; or
• Generates over 50% in annual revenue from sales of consumer data
Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.Applies to businesses that
• Handles the records of at least 100,000 Virginia consumers; or
• Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data

Definition of personal data
Any information that could be associated or linked with a particular consumer or household.Same as CCPA, except that there is a reasonableness element:
Any information that could be reasonably associated or linked with a particular consumer or household.
Limited to particular consumers.
“Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal dataDoes not define sensitive personal data.Defines sensitive personal data to include:
• Social security number
• Driver’s license
number
• Account log-in, debit,
or credit card number in combination with password or PIN
• Precise geolocation
• Racial/ethnic origins
• Religious or
philosophical beliefs
• Union membership
• Contents of e-mails or
texts to others
• Genetic/biometric
data
• Health information
• Sex life/sexual
orientation data
Defines sensitive personal data to include:
• Racial/ethnic origins
• Religious beliefs
• Mental or physical
health diagnosis
• Sexual orientation
• Citizenship/
immigration status
• Genetic/biometric
data
• Children’s data
• Precise geolocation
Consumer rights• Access
• Deletion
• Non-Discrimination
• Opt-out of:
o Sale of personal data
Same as CCPA, with the addition of rights to:
• Correct personal information
• Limit the use of
sensitive personal information
• Access
• Correction
• Deletion
• Port
• Opt-out of:
o Targeted advertising
o Sale of personal data
o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact AssessmentsNo requirement to conduct or document.No requirement to conduct or document.Controllers must conduct and document data protection assessments for the following activities:
• Targeted advertising
• Sale of personal data
• Profiling
• Sensitive data
• Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection AuthorityCalifornia Office of the Attorney General$10 million allocated per year to the California Privacy Protection Agency (CPPA).
Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.
Virginia Office of the Attorney General
Cure Provision30 days to cure upon written notice of a violation by the California Attorney General’s office.Ability to cure removed from CPRA.30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
EnforcementAdministrative fines ranging from $2,500 per violation to $7,500 for intentional violations.Administrative fines of $7,500 now includes intentional violations and children’s data violations.Administrative fines of $7,500 per violation.
Private Right of ActionConsumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.Same as CCPA.Consumers do NOT have a private right of action.
Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Continue Reading What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)