Virginia's Consumer Data Protection Act vs. CCPA and CPRA

  • by Angelique Carson
  • last updated May 25, 2021
  • 4 min read
Virginia's Consumer Data Protection Act vs. CCPA and CPRA

A close-up comparison of Virginia's Consumer Data Protection Act (CDPA) vs. California Consumer Privacy Act vs. California Privacy Rights Act

What is the CDPA?

Virginia's Consumer Data Protection Act (CDPA), which passed on March 2, 2021, grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared.

The CDPA zoomed through the state's legislature with exceptional speed, just a few short weeks after its introduction. It joins California as only the second U.S. state to succeed in pushing privacy legislation through the legislature. 

The law contains some similarities to the EU General Data Protection Regulation's provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:

Try Osano Free!

  • Control or process the personal data of 100,000 or more; 
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

It requires businesses to: 

  • Provide consumers with a clear privacy notice that includes a way for consumers to opt-out of targeted advertising.
  • Comply with consumer requests to see data collected on them within 45 days.
  • Obtain opt-in consent for sensitive data processing.
  • Disclose to consumers if their data will be sold. 
  • Allow consumers to opt out of having their data sold.
  • Allow consumers to delete their data. 

What consumer rights does the CDPA grant?

The CDPA grants Virginia residents the right to control what happens with data collected about them. Specifically, the law allows consumers:

  • The right to opt-out of behavioral advertising.
  • The right to delete their data.
  • The right to opt-out of the sale of their personal data. 
  • The right to data portability (the ability to transfer data from one platform to another). 

What is a service provider under CDPA? 

Under the CDPA, service providers are considered "processors." A processor would refer to any entity performing a task for the data "controller" —  the company collecting the data and deciding how to use it.

Under the CDPA, controllers and processors have to contractually agree that the processor will delete or return all personal data at the controller's request, and processors can't use additional service providers unless they've contractually agreed to meet the CDPA's requirements. 

What are the rules on targeted advertising? 

Some of the law's critics have said the bill should be more restrictive in its provisions on targeted advertising. Consumers have the right to opt out of their data being used for targeted advertising. The law defines targeted advertising as the use of Virginians' personal data to deliver advertisements based on data from third-party websites or apps in order to predict preferences or interests. 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

But the law does not apply to:

  • Ads based on activities within a data controller's own website or app.
  • Ads based on a consumer's search query, website visit or online application.
  • Ads directed to a consumer based on their request for information. 
  • Personal data processed only to measure or report advertising performance/reach. 

When does the CDPA go into effect? 

The CDPA becomes effective January 1, 2023. It's likely lawmakers will amend the law before then, and a workgroup will review the law and suggest changes by November 2021. 

The Virginia Attorney General will enforce the law. While it does not contain a private right of action as a consumer redress tool, it does allow the attorney general to seek civil penalties of up to $7,500 per violation. 

Comparing CDPA to CCPA and CPRA

Below is a chart comparing some of Virginia's law with both the California Consumer Privacy Act (CCPA), which became effective in 2018, and the law that will replace it on Jan. 1, 2023, the Consumer Privacy Rights Act (CPRA). 

 
CCPA
CPRA
CDPA
Enforcement
California Attorney General’s Office 
California Privacy Protection Agency
Virginia Attorney General's Office
Profiling
N/A
Consumers can opt-out of automated decision-making 
Consumers can opt-out of profiling that produces "legal or significant effects," including for housing, employment and educational eligibility, for example 
Sensitive data
N/A
Businesses must disclose how they collect, use and disclose 

Consumers may opt-out of the use of their sensitive data
Consumers must opt-in to the collection and use of their sensitive data for processing
Data minimization
N/A
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
Businesses must only collect and retain what is adequate, relevant and reasonably necessary to the purpose, and that must be disclosed to consumers
Consumer remedies
Consumers may file a private right of action when lack of reasonable security leads to a breach
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
Companies must establish a process for consumers to submit complaints
No private right of action
Data Protection Impact Assessments
N/A
Required, specific rules to be determined by forthcoming rulemaking
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm"
Deletion
Businesses must fulfill validation consumer requests to delete their data 
Businesses fulfilling legitimate deletion requests must also notify third parties to delete such information
Businesses must delete personal data provided by or obtained via the consumer
Opt-out links
Businesses must have a “Do not sell my personal information” link
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link 
N/A
Fines
Up to $7,500 per violation or $2,500 per unintentional violation
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
Up to $7,500 per violation

About The Author · Angelique Carson

Angelique Carson is the Director of Content at Osano, a B-corp privacy platform that makes compliance with privacy laws easy for companies of all sizes. She is a professional writer and editor who has worked in journalism and publishing for more than ten years. Previously Angelique was an editor at the International Association of Privacy Professionals and the host of The Privacy Advisor Podcast. She lives in Washington, D.C., with her puppy Miles.