The VCDPA vs. CCPA: Comparing State Privacy Laws
California and Virginia are leading the effort among states to enact new consumer data privacy laws that identify specific consumer privacy rights and introduce requirements for the commercial collection and processing of consumer data.
The California Consumer Privacy Act (CCPA) went into effect in 2020 and created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. The California Privacy Rights Act (CPRA) – sometimes referred to as “CCPA 2.0” – was a ballot measure approved by California voters in 2020, which significantly amended and expanded the rights and requirements set forth in the CCPA.
Virginia’s Consumer Data Protection Act (VCDPA) went into effect in Jan. 2023 and creates rights and obligations related to the processing of consumer data similar to the California laws, but with key differences around enforcement, exemptions, and how consumer rights are defined.
The following table provides an at-a-glance comparison of the key elements of each law; it is not meant to provide a comprehensive overview of each law’s provisions.
[Download the full comparison table as a PDF.]
California and Virginia are leading the effort among states to enact new consumer data privacy laws that identify specific consumer privacy rights and introduce requirements for the commercial collection and processing of consumer data.
The California Consumer Privacy Act (CCPA) went into effect in 2020 and created an array of consumer privacy rights and business obligations regarding the collection and sale of personal information. The California Privacy Rights Act (CPRA) – sometimes referred to as “CCPA 2.0” – was a ballot measure approved by California voters in 2020, which significantly amended and expanded the rights and requirements set forth in the CCPA.
Virginia’s Consumer Data Protection Act (VCDPA) went into effect in Jan. 2023 and creates rights and obligations related to the processing of consumer data similar to the California laws, but with key differences around enforcement, exemptions, and how consumer rights are defined.
The following table provides an at-a-glance comparison of the key elements of each law; it is not meant to provide a comprehensive overview of each law’s provisions.
[Download the full comparison table as a PDF.]
What are the basics?
| CCPA | CPRA | VCDPA | |
| Name |
California Consumer Privacy Act | California Privacy Rights Act | Consumer Data Protection Act |
| Citation |
Cal. Civ. Code § 1798.100 et seq. | Cal. Civ. Code § 1798.100 et seq. | Va. Code § 59.1-571 et seq. |
| Jurisdiction |
California | California | Virginia |
| Scope | Comprehensive | Comprehensive | Comprehensive |
| Model |
Opt-out | Opt-out | Opt-out |
| Sector |
Non-sectoral | Non-sectoral | Non-sectoral |
| Effective Date(s) | Jan. 1, 2020 | Took effect Dec. 16, 2020; CCPA revisions operative Jan. 1, 2023 | Jan. 1, 2023 |
Whose data is protected?
| CCPA | CPRA | VCDPA | |
| Statutory term | Consumer | Consumer | Consumer |
| Defined as | Natural person who is California resident | Natural person who is California resident | Natural person who is Virginia resident |
What data is protected?
| CCPA | CPRA | VCDPA | |
| Statutory term | Personal information | Personal information | Personal data |
| Defined as | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked – directly or indirectly – to a particular consumer or household | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked – directly or indirectly – to a particular consumer or household | Any information that is linked or reasonably linkable to an identified or identifiable natural person |
| Definition excludes de-identified data | Yes, but see provisions regarding reidentification of de-identified information Cal. Civ. Code §1798.148 | Yes, but see provisions regarding reidentification of de-identified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “de-identified.” Cal. Civ. Code §1798.185(a) | Yes, but special requirements apply to de-identified data Va. Code § 59.1-581 |
| Definition excludes publicly available info | Yes | Yes | Yes |
| Definition excludes aggregate info | Yes | Yes | Not specified |
What types of data have heightened protections?
| CCPA | CPRA | VCDPA | |
| Statutory term | None | Sensitive personal information | Sensitive data |
| Biometric data | n/a | No | Yes |
| Children’s data | n/a | No | Yes |
| Citizenship status | n/a | No | Yes |
| Electronic communications | n/a | Yes, content of | No |
| Financial account info | n/a | Yes, credentials or access to | No |
| Genetic data | n/a | Yes | Yes |
| Geolocation info | n/a | Yes, “precise” | Yes, “precise” |
| Government-issued ID | n/a | Yes | No |
| Marital status | n/a | No | No |
| Mental health | n/a | No | Yes, diagnosis |
| Physical health | n/a | No | Yes, diagnosis |
| Political opinion | n/a | No | No |
| Race/ethnicity | n/a | Yes | Yes |
| Religious beliefs | n/a | Yes | Yes |
| Sexual orientation | n/a | No | Yes |
| Union membership | n/a | Yes | No |
What data is exempt?
| CCPA | CPRA | VCDPA | |
| B2B-related data | Yes (until 1/1/2023) | No | Yes |
| Common rule-covered info | Yes | Yes | Yes |
| COPPA-related info | No | No | No |
| DPPA-covered info | Yes | Yes | Yes |
| Employment-related data | Yes (until 1/1/2023) | No | Yes |
| FCRA-covered info | Yes | Yes | Yes |
| FERPA-covered info | No | No | Yes |
| GLBA-covered data | Yes | Yes | Yes |
| HIPAA de-identified info | Yes | Yes | Yes |
| HIPAA-protected health info | Yes | Yes | Yes |
Who must comply?
| CCPA | CPRA | VCDPA | |
| Private sector | Business, service provider | Business, service provider, contractor | Controller, processor |
| Jurisdictional threshold | “Does business” in California | “Does business” in California | “Conducts business” in Virginia or produces products or services “targeted” to Virginia residents |
| Revenue threshold | Annual gross revenues greater than $25 million | Annual gross revenues greater than $25 million in preceding calendar year | None |
| Processing threshold | Data of 50,000 or more consumers | Data of 100,000 or more consumers | Data of 100,000 or more consumers |
| Broker threshold | At least 50% of revenue from selling of data | At least 50% of revenue from selling or sharing data | Data of 25,000 or more consumers and at least 50% of revenue from sale of data |
Who is exempt?
| CCPA | CPRA | VCDPA | |
| Public sector | Yes | Yes | Yes |
| Nonprofits | Yes | Yes | Yes |
| GLBA financial institutions | No | No | Yes |
| HIPAA-covered entities | Yes | Yes | Yes |
| HIPAA business associates | Yes | Yes | Yes |
| Higher education institutions | No | No | Yes |
Navigate state consumer data privacy laws with confidence with Bloomberg Law
Save valuable time when you trust Bloomberg Law’s Chart Builder tool to compare consumer data privacy laws across multiple jurisdictions and understand complex regulatory and compliance requirements with ease. Download this page to easily compare elements of the VCDPA with other key state privacy laws.
Our expert analysis, comprehensive coverage, news, and practice tools help you stay on top of the dynamic field of consumer data privacy so you can provide sound counsel to your clients and stakeholders. See it for yourself. Request a demo.