By now, you’re probably familiar with the California Consumer Privacy Act (CCPA), which went into effect on the first day of 2020. Though it’s a state law, it impacts how businesses across the globe manage the personal information (PI) of California’s residents. But CCPA’s legacy is that it redefined what PI actually is:
“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
To clarify further, PI includes direct identifiers such as name and address, as well as indirect identifiers such as IP addresses and cookies. The definition also extends to biometric data, Internet activity, and more. The moral of the story is that going forward, companies will need to design their data ecosystems to be flexible to meet privacy requirements since even the very definition is a moving target.
Enter the Virginia Consumer Data Protection Act (VCDPA), which some are calling the CCPA of the East Coast. No matter what you call it, the concept has quickly jumped across the country, and become a reality for Virginia businesses. Some say this may open the floodgates for Washington to consider a national privacy law. Regardless, businesses that collect or process Virginians’ data will likely be affected, so businesses should prepare. Although many lawyers are saying VCDPA is more business-friendly than CCPA, there are new and different requirements that need to be addressed like corrective action and data protection assessments.
CCPA VS. VCDPA: A QUICK COMPARISON
First, let’s define which businesses are subject to VCDPA. While the graphic below shows the two scenarios that make a business subject to the law, if your website receives more than 275 unique Virginia visitors per day, your business is likely to be in scope for VCDPA.
Note one important omission: there are no revenue threshold imposing obligations. While California said any company with revenues over $25 million is subject to CCPA, Virginia does not make this blanket stipulation for large companies— which may be an advantage for large B2B companies that don’t process more than 100,000 Virginians’ PI data.
In addition, Virginia’s law doubles the number of Virginia consumers a company can process (to 100,000) without being subject to the law and explicitly omits a person from its definition where they are "acting in a commercial or employment context.” Taken together, these factors essentially mean that VCDPA does not cover B2B or employee data. Additional differences between the two laws can be found in the chart below.