Last week, Virginia’s house of representatives and senate passed the Consumer Data Protection Act (CDPA) with sweeping majorities.
And so, once Gov. Ralph Northam signs the bill into law, as he’s expected to do in the coming weeks, you can add “CDPA” to your list of privacy regulation initialisms.
Some are calling the CDPA, which is the second comprehensive data privacy law in the United States, Virginia’s answer to GDPR or the East Coast version of the California Consumer Privacy Act.
But the truth lies somewhere in between. The bill, which would take effect on Jan. 1, 2023 if passed, borrows from both of its high-profile predecessors.
Here’s how CDPA stacks up.
CDPA vs. CCPA vs. GDPR
Although Virginia lawmakers were clearly inspired by California, CDPA is an opt-in law and uses similar language to GDPR to define consent, which needs to be clear, affirmative, freely given, specific, informed and unambiguous.
This standard is higher than what’s called for under CCPA and the California Privacy Rights Act (CPRA), which requires that consumers are given the opportunity to opt out of data collection.
CDPA gives consumers GDPR-like rights.
“Where the CCPA only provides a right to know and a right to be deleted, the CDPA provides a right of access, correction, deletion and portability broadly reflected in the farther-reaching obligations of the GDPR,” said Cillian Kieran, CEO and founder of privacy compliance startup Ethyca.
But when it comes to applicability thresholds, the CDPA is a little looser than the CCPA.
Whereas the CCPA sets a specific revenue threshold – the law applies to any business with annual gross revenue of more than $25 million – the Virginia bill doesn’t. CDPA would apply to anyone that conducts business in the Commonwealth and either controls or processes the personal data of at least 100,000 consumers or derives more than 50% of its gross revenue from the sale or processing data belonging to at least 25,000 consumers.
The CDPA also has a somewhat more limited definition of the term consumer, which only refers to people who reside in Virginia and excludes anyone acting in a commercial capacity or employment context.
Taken together, the lack of a revenue threshold combined with this narrower definition means that the Virginia law would likely apply to fewer businesses overall than CCPA, Kieran said.
Kieran noted that the Virginia bill also contains specific carve outs for businesses that already process data regulated by other laws, such as health data under HIPAA and sensitive financial data governed by the Gramm-Leach-Bliley Act.
No private right of action
One other significant difference between CCPA and the bill in Virginia is that the latter doesn’t provide for a private right of action, meaning that the attorney general is the only one who would have the right to enforce the law.
There is a private right of action under CCPA for violations of the law that involve data breaches, which has opened the door for class-action lawsuits.
If CDPA passes, the attorney general will be able to seek up to $7,500 per violation, including injunctive relief and attorney’s fees, following a 30-day cure period during which the breaching party will have an opportunity to fix whatever mess it’s accused of.
Getting prepped
While Virginia’s privacy law is still a bill, there’s little doubt that Virginia’s governor will sign CDPA into law – and soon.
Although some geo-specific modifications will be necessary, businesses that have already done prep work for CCPA and/or GDPR will be “in a good place” when CDPA hits the books, said Charles Farina, head of innovation at Adswerve.
And “we expect most privacy vendors like OneTrust and Cookiebot to have updates available quickly once [CDPA is] signed into law,” Farina said.
But don’t fall into the trap of thinking that being prepared for CCPA will make CDPA prep into a box-checking exercise, Kieran said. CDPA has a different definition for the term “consumer” and provides increased rights that are more akin to those under GDPR.
“Ensuring your business is completely compliant with the GDPR is a better baseline for preparation for broader data privacy regulations,” Kieran said. “But it’s important to recognize that each state has nuances … there is no one-size-fits-all solution.”
