CDPA, CCPA and CPRA : Key Differences

Virginia’s New Consumer Data Protection Act - Mandatly Inc.

All About California’s CDPA, CPRA VS CCPA

On March 2, 2021, Governor Ralph Northam signed the Virginia’s Consumer Data Protection Act (CDPA) into law making Virginia the second state to adopt a comprehensive consumer privacy law, after California. It draws heavily from the proposed Washington Privacy Act and brings together concepts from the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). The law is in operation with effect from January 1, 2023.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed on November 3, 2020. Most provisions are not operative until Jan. 1, 2023.

What is Virginia CDPA compliance?

The Virginia Consumer Data Protection Act (VCDPA) is a privacy legislation granting Virginia residents specific rights regarding their personal data. While influenced by the California Consumer Privacy Act (CCPA), the VCDPA has distinctive features. It notably contains provisions safeguarding children’s privacy. The enforcement of the VCDPA falls under the purview of the Virginia Attorney General.

What is CPRA (California Privacy Rights Act) Compliance?

The CPRA, or California Privacy Rights Act, is a data privacy law in the state of California, USA. It builds upon the California Consumer Privacy Act (CCPA) and further enhances consumer privacy rights. The CPRA introduces additional requirements and regulations for businesses that handle personal information of California residents. It grants consumers more control over their personal data, imposes stricter rules on data handling practices, and establishes a dedicated agency, the California Privacy Protection Agency (CPPA), to enforce and implement the law. CPRA compliance refers to the measures and actions businesses must take to adhere to the requirements and obligations outlined in the CPRA.

VCDPA, CCPA and CPRA : Key Differences & Similarities

In the ever-evolving landscape of data privacy, businesses need to navigate the intricacies of state-specific regulations, the Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). To help you understand their similarities and differences, we’ve prepared a comparison below. Let’s dive in to unravel the key distinctions among these important data privacy laws. Suppose you’re wondering what CCPA and CPRA entail, how they differ from the VCDPA (CDPA privacy law), and what the CPRA and CDPA requirements encompass. In that case, this comparison will provide clarity on Virginia privacy law vs California Privacy Laws (CCPA and CPRA) and shed light on the nuances between these vital regulations.

CCPA civil penalties can be significant, ranging from $2,500 to $7,500 per violation, emphasizing the California Consumer Privacy Act’s commitment to enforceable consequences for non-compliance with data privacy regulations. 

VCDPA, CPRA and CCPA penalties

The VCDPA (Virginia Consumer Data Protection Act), CCPA (California Consumer Privacy Act), and CPRA (California Privacy Rights Act) impose varying penalties for non-compliance with data protection regulations. Each has its own set of consequences, with fines and penalties designed to ensure accountability in handling consumer data. Understanding and adhering to the specific provisions of these privacy acts is crucial to avoid financial penalties and legal repercussions. Refer to the chart below for better understanding.

Similar But in Different Ways

CDPA - Mandatly Inc.
CDPA
CCPA - Mandatly Inc.
CCPA
CPRA - Mandatly Inc.
CPRA

Applicability

Who does CDPA apply to?

Section 59.1-572(A)
CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
– Control or process the personal data of at least 100,000 consumers during a calendar year.
– Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

Who does CCPA apply to?

Section 1798.140(c)
CCPA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one or more of these thresholds:
– Annual gross revenues in excess of $25,000,000.
– Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
– Derives 50% or more of its annual revenues from selling consumers’ personal information

WHO DOES CPRA APPLY TO?

Section 1798.140(d)
CPRA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one of these thresholds:
– Annual gross revenues in excess of $25,000,000 in the preceding calendar year.
– Annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
– Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Enforcement date

CDPA

January 1, 2023

CCPA

July 1, 2020

CPRA

July 1, 2023

Consumer Rights Under CDPA, CCPA, CPRA

CDPA

Section 59.1-573(A)

  1. Right to be informed and access
  2. Right to rectification
  3. Right to deletion
  4. Right to portability
  5. Right to opt-out of targeted advertising, the sale of personal data or profiling.

CCPA

Section 1798.100 – 1798.125

  1. Right to Know what personal information is collected.
  2. Right to Data Portability.
  3. Right to Delete.
  4. Right to Access personal information.
  5. Right to Know if Personal Information is Sold.
  6. Right to Opt-Out of sale.
  7. Right against discrimination

CPRA

Section 1798.105 – 1798.125

  1. Right to Know what personal information is collected.
  2. Right to Data Portability.
  3. Right to Delete.
  4. Right to rectification.
  5. Right to Access personal information.
  6. Right to Know if Personal Information is Sold.
  7. Right to Opt-Out of sale.
  8. Right to Limit Use and Disclosure of Sensitive Personal Information.
  9. Right against discrimination.

Personal Information

CDPA

Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person. It does not include deidentified data or publicly available information (a separately defined term).

CCPA

Section 1798.140(o)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.

CPRA

Section 1798.140(v)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.

CDPA, CCPA, CPRA Obligations

CDPA

Data Minimization:
Controllers are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary.

CCPA

Data Minimization:
Data minimization is not mandated under CCPA.

CPRA

Data Minimization:
Prohibits a business from retaining a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose.

Reasonable Data security:
Controllers are required to maintain reasonable security measures to protect the personal data.
Reasonable Data security:
The Private Right of Action provision references a business’s duty to implement and maintain reasonable security procedures and practices.
Reasonable Data security:
A business that collects a consumer’s personal information is required to implement reasonable security procedures and practices in accordance with Section 1798.81.5.
Privacy Notice requirement:
Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
Required Notice:
Notice at collection, notice of right to opt-out of sale, notice of financial incentive, required notice at collection, notice of right to opt-out, notice of financial incentive.
Required Notice:
Notice at collection, notice of right to opt out of sale and sharing, notice regarding sensitive personal information required under certain circumstances, notice of financial incentive.
Sensitive Data:
Controllers are prohibited from processing sensitive data without obtaining the consumer’s consent.
Sensitive Data:
Categories and purposes of sensitive personal information that are collected or used by businesses must be communicated to consumers, at or before the point of collection.
Sensitive Data:
A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information is prohibited from doing so.

Minors

CDPA

Section 59.1-572(D)
Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) shall be deemed compliant with any obligation to obtain parental consent under this chapter.

Section 59.1-573(A)
A known child’s parent or legal guardian may invoke consumer rights on behalf of the child regarding processing personal data belonging to the known child.

CCPA

Section 1798.120(c)
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. This right may be referred to as the “right to opt-in.”

Section 1798.120(d)
A business that has not received consent to sell the minor consumer’s personal information shall be prohibited from selling the personal information unless the consumer subsequently provides express authorization.

CPRA

Section 1798.120(c)
A business shall not sell or share the personal information of consumers if the business has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 and less than 16, or the consumer’s parent or guardian, in the case of consumers who are less than 13, has affirmatively authorized the sale or sharing of the consumer’s personal information.

Section 1798.120(d)
A business that has not received consent to sell or share the minor consumer’s personal information shall be prohibited from selling or sharing the personal information unless the consumer subsequently provides consent.

Penalties

CDPA

Section 59.1-579 and Section 59.1-580
If the controller or processor fails to cure the alleged violation in 30-day period, the attorney general may initiate an action and seek an injunction and civil penalties of up to $7,500 for each violation.

CCPA

Section 1798.155(b)
A business, service provider or other person that violates the law is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation, to be assessed and recovered in a civil action brought by the attorney general.

CPRA

Section 1798.199.90
Any business, service provider, contractor or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation and each violation involving the personal information of minor consumers, to be assessed and recovered in a civil action brought by the attorney general.

Common provisions

1. Responding consumer requests:

  • A 45 days’ period to respond to consumer requests.
  • This period may be extended once by 45 additional days when reasonably necessary.
  • The business must deliver the requested information free of charge.

2. Purpose limitation as major obligation:

  • Prohibited collection of additional categories of personal information or use of personal information collected for additional purposes without providing notice.

3. No discrimination against consumers:

  • Prohibits businesses from discriminating against consumers for exercising their rights.

4. Right to opt-out of sale:

  • Provides consumers with a right to op-out of the sale of their personal information anytime.

5. 30 days period to cure allegation:

  • Provides 30 days to cure alleged non-compliance before being in violation of the law.

Compliance with GDPR or CCPA does not assures compliance with Virginia’s CDPA. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Resource:
IAPP

Download free resource on California CCPA, Virginia CDPA, Colorado CPA and CPRA. - Mandatly Inc.

FAQs

What do CDPA, CCPA, and CPRA stand for, and what is the purpose of each regulation?
  • CDPA: Virginia Consumer Data Protection Act
  • CCPA: California Consumer Privacy Act (original law)
  • CPRA: California Privacy Rights Act (amended CCPA)

Each of these regulations shares the common goal of empowering consumers with control over their personal data collected by businesses. They emphasize rights related to access, deletion, opt-out, and protection against discrimination.

How do the CDPA, CCPA, and CPRA differ in terms of geographical scope?
  • CDPA: Applies to businesses operating in Virginia or processing data of Virginia residents.
  • CCPA: Applies to businesses operating in California or processing data of California residents.
  • CPRA: Same scope as CCPA, but applies to businesses with annual gross revenue exceeding $25 million.
What rights do consumers have under CDPA, CCPA, and CPRA, and how do they compare?

All three: Right to access, delete, correct, and opt-out of data sale/sharing.

CPRA: Additional rights, including portability, correction right without waiting for verification, and limitation of targeted advertising.

How do CDPA, CCPA, and CPRA address the concept of consent for data processing?
  • CDPA: Requires consent for processing sensitive data, including racial, religious, or health information.
  • CCPA: Only requires consent for the sale of personal data, not for general collection or processing.
  • CPRA: Maintains the CCPA standard for consent, but strengthens opt-out rights and allows consumers to object to data processing for targeted advertising.
What are the key obligations for businesses under CDPA, CCPA, and CPRA, and how do they vary?
  • All three: Implement data security measures, provide privacy notices, respond to consumer requests.
  • CCPA/CPRA: Additional obligations like conducting data impact assessments, appointing a data protection officer.
  • CDPA: No requirement to appoint a data protection officer.
How do CDPA, CCPA, and CPRA address sensitive data and the definition of personal information?
  • CDPA: Defines sensitive data more broadly than CCPA and requires consent for its processing.
  • CCPA: Defines personal information more broadly than CDPA, including geolocation and browsing history.
  • CPRA: Maintains the CCPA definition of personal information but expands protections for sensitive data.
Can businesses comply with all three regulations simultaneously, or are there conflicts?

Yes, businesses can comply with all three regulations simultaneously. While some differences exist, they overlap significantly in their core principles and requirements. Most businesses can adapt their practices to comply with both CDPA and CCPA/CPRA if they focus on a robust data privacy framework.

Related Blogs

Cookie Consent Solutions for GDPR & CCPA Compliance20240708043627

Cookie Consent Solutions for GDPR & CCPA Compliance

The Role of Cookie Consent Solutions in GDPR and CCPA ComplianceIn today's digital landscape, data privacy regulations like t...
Data Mapping Requirement for CPRA & CCPA Compliance20240501045009

Data Mapping Requirement for CPRA & CCPA Compliance

Data Mapping Requirement for CPRA & CCPA ComplianceWhat are the CPRA Data Mapping Requirements?The California Consumer Pr...
Virginia Consumer Data Protection Act – All about CDPA20230104044820

Virginia Consumer Data Protection Act – All about CDPA

Virginia Consumer Data Protection Act – All about CDPAWhat is VCPDA?The Virginia Consumer Data Protection Act CDPA is a...
Difference between CDPA, CCPA, CPRA and CPA20210722111718

Difference between CDPA, CCPA, CPRA and CPA

Difference between CDPA, CCPA, CPRA and CPAUnderstanding CDPA, CPA, CCPA & CPRAOn March 2, 2021, Governor Ralph Northam s...
Colorado Privacy Act (CPA)20210713052349

Colorado Privacy Act (CPA)

Colorado Privacy Act (CPA)Colorado is officially the third U.S state to adopt privacy legislation, after California and Virgi...
What is California Consumer Privacy Act?20210601090127

What is California Consumer Privacy Act?

What is California Consumer Privacy Act?The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regu...
Key Steps to CCPA Compliance Solution for Your Firm20210107075900

Key Steps to CCPA Compliance Solution for Your Firm

Key Steps to CCPA Compliance Solution for Your FirmCCPAThe California Consumer Privacy Act (CCPA) is the first state-wide dat...
GDPR vs CCPA: Key Differences and Similarities20200227094616

GDPR vs CCPA: Key Differences and Similarities

GDPR vs CCPA: Key Differences and SimilaritiesAbout GDPR and CCPAData privacy law has rapidly emerged as a focal point for bo...