What marketers and data processors need to know about the differences between these laws
Last month, the Consumer Data Protection Act (CDPA) became law in Virginia, although it only went into effect in 2023. The CDPA is the latest example of data protection legislation and has drawn a very close comparison between experts. And its cousin in California: the California Consumer Privacy Act (CCPA).
In all fairness, the two have a lot in common. Both give consumers the maximum right to view, know and delete their data and prevent them from processing their personal data. Both offer businesses a basic 30-day payback period in the event of a breach. And both require companies to make certain information security measures.
But there are also many differences.
A complete and detailed comparison of all the similarities and differences between these two laws will be made. However, the following are three of the most important comparisons that marketers and professionals start with data protection.
The scope of the laws
Agreements: Both laws apply to the most profitable businesses, as it somehow depends on the income and/or data management of the respective residents.
Difference: great. California probably extends beyond Virginia here.
The California CCPA applies to any for-profit (federally funded) business that meets one of the following three requirements:
1. You have more than $ 25 million in legal annual gross sales (regardless of the source of income); OR
2. Receive at least 50% of annual revenue from the sale of personal information by consumers in California (regardless of the amount of revenue); OR
3. Purchase, sell, receive, for commercial purposes and/or share for commercial purposes, “alone or in combination, the personal information of 50,000 or more [California residents], families or devices” in one year.
(The inclusion of “devices” is important in the age of the IoT.)
Meanwhile, the CDPA in Virginia applies to two small categories of paid work (always subject to federal exclusion):
1. The Company controls or processes the personal data of at least 25,000 Virginia consumers in a calendar year AND obtains more than 50% of its gross revenue from the sale of personal data; OR
2. The company manages or processes at least 100,000 personal data for Virginia consumers in a calendar year (regardless of revenue).
Some additional questions: California has integrated a version of the data fix with the CCPA. Meanwhile, Virginia exempts public high schools (including for-profit ones) from the requirements of the CDPA.
Both countries also cut data processing in the context of employers and benefits administrators and for “emergency contact” purposes.
The exception to public availability
Agreements: Both CCPA and CDPA have exceptions to “public information”.
Difference: the CCPA limits what qualifies as “publicly available information”; The CDPA defines “public information” very broadly.
Both laws protect personal data but exclude “public information” from their respective definitions. If it’s public, it’s not personal.
When Virginia says “public information,” it means – and then something. This MarTech Today article takes a closer look at the subject, but to simplify it if a layman can reasonably see it as “public information”, it is likely to fall under the CDPA, provided the information is disclosed “legally”.
Californians don’t play here. According to the CCPA, “public information” includes only information that is “legally made available through federal, state or local government data.”
And the CCPA is even more protective than that. To further protect consumers in the era of ubiquitous data collection and facial recognition entrusted to state contractors, California goes even further with this additional language: “publicly available” does not mean that a company collects biometric information about a consumer. . , nobody.
The severity of the sanctions
Play: $ 7,500 maximum per infraction.
Difference: but not really. CDPA fines can be worse.
A different bonus: the CCPA explicitly allows certain private action rights; CDPA n.
Except: both can allow implicit rights related to private actions.
This: it’s a bit complicated, yes.
Both the CCPA and the CDPA usually have a maximum fine of R $ 7,500 per infringement.
The CDPA extends this aspect by specifically allowing the Virginia Attorney General’s office to recover legal and investigative costs. The CCPA does not appear to have a specific provision.
Additionally, the $ 7,500 CCPA applies only to willful violations of the law. Violations of the CCPA, whether intentionally (unintentionally), reckless or negligent, will result in a maximum fine of only $ 2,500 per – one-third of the fine for an intentional crime.
However, it can be neutralized by the CCPA, which gives consumers the right to private action, but only for certain violations related to the consumer’s breach of “unencrypted or unaltered personal information” and only with the consumer’s consent. California Attorney General. While both laws primarily refer to enforcement by the relevant law firm (or, in the case of the CCPA, other law enforcement agencies), the CCPA specifies the circumstances under which an individual can sue for a suspected crime.
According to the claim, a successful CCPA candidate could accidentally recover $ 100 to $ 750 (or possibly even more than $ 750 if the claimant can repair the actual damage) (contrary to the much stricter “breach” standard. Statement (“Hey! Stop it. Don’t do it again. Be good. “), And the omnipresent recording of all other hits. Consider it right and fair.”
Compare the Virginia CDPA, which prohibits private action rights under the CDPA, period.
Additionally, both laws have language that, in no other law, can be used as the basis for a private right of action, but which has not prevented California plaintiffs from filing separate lawsuits due to violations of several relevant laws. . under the CCPA. Whether Virginia consumers will also respond to the CDPA remains to be seen.