Is Virginia data privacy law the same as CCPA?

The Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA), including its amendment the California Privacy Rights Act (CPRA), share the overarching goal of enhancing consumer control over personal data but differ in several significant legal and operational aspects.

Key differences are as follows:

• Exemptions:
  VCDPA explicitly exempts entities regulated under HIPAA, GLBA, nonprofits, and institutions of higher education. In contrast, CCPA has broader applicability with fewer exemptions for these sectors (Virginia General Assembly, 2021).

• Opt-Out and Consent Requirements:
  VCDPA requires businesses to obtain consumer consent before processing sensitive data categories (e.g., race, health data), representing an opt-in framework for sensitive information. Conversely, CPRA follows an opt-out model, allowing consumers to prohibit the sale or sharing of personal data but not requiring prior consent (Cal. Civ. Code §1798.100; Va. Code Ann. §59.1-575).

• Scope of Opt-Out Rights:
  Virginia law grants consumers broader opt-out rights, including:

  • Targeted advertising
  • Sale of personal data
  • Profiling

  California’s law primarily focuses on the sale and sharing of personal information but less explicitly on profiling (Cal. Civ. Code §1798.120; Va. Code Ann. §59.1-575).

• Private Right of Action:
  A critical distinction is the absence of a private right of action in VCDPA. California law permits consumers to sue for certain data breaches or violations, creating a direct enforcement path beyond regulatory oversight (California Attorney General, 2023). Virginia relies solely on government enforcement without consumer litigation avenues.

• Enforcement Agencies:
  The CPRA established the California Privacy Protection Agency (CPPA), a dedicated regulatory body with enforcement powers (Cal. Civ. Code §1798.185). Virginia does not have a dedicated privacy enforcement agency; enforcement falls under the state Attorney General’s office (Va. Code Ann. §59.1-577).

These differences underscore divergent regulatory philosophies: California emphasizes consumer litigation rights and specialized enforcement infrastructure, while Virginia prioritizes consent for sensitive data and limits private enforcement to streamline compliance.

References:

• Virginia General Assembly. Virginia Consumer Data Protection Act, Va. Code Ann. §59.1-571 et seq. (2021). https://law.lis.virginia.gov/vacode/title59.1/chapter57/
• California Civil Code §§1798.100–1798.199 (2020). https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=
• California Attorney General. CCPA Enforcement Guidelines (2023). https://oag.ca.gov/privacy/ccpa