The Legal Brief
California Love (of Privacy): Virginia and Colorado Adopt Comprehensive Data Privacy Laws That Look Similar to California Laws
July 15, 2021
Virginia and Colorado have passed legislation that will implement data privacy laws in 2023. Both the Virginia Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”) are similar to the California Consumer Privacy Act (“CCPA”) and the recently passed California Privacy Rights Act (“CPRA”) in their aims and goals. However, key distinctions amongst the privacy bills will require businesses to ensure they are approaching each jurisdiction’s consumers with specificity in ensuring privacy compliance. This article will analyze some key provisions of the VCDPA and the CPA and discuss how they differ from CCPA or CPRA requirements.
Virginia Consumer Data Protection Act
Earlier this year on March 2, 2021, Governor Ralph Northam signed the VCDPA into law. That law’s passage made Virginia the second state to pass a comprehensive consumer privacy bill, with California being the first, but the VCDPA is distinct in several key ways from the current CCPA. Below is a look at some of the key provisions of the VCDPA:
- First, the VCDPA applies to all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and that during a calendar year, either: (1) control or process personal data of at least 100,000 Virginia residents; or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.
- The key difference here is the lack of a revenue threshold. The CCPA expressly limits its application to companies with annual revenue exceeding $25M. Without this threshold provision, the VCDPA likely could require businesses generating smaller revenues, including small to mid-size entities (startups, e-commerce, etc.), to comply.
- Similar to the CCPA and CPRA, consumers have certain rights under the VCDPA. Some of these rights include the right to access, the right to data portability, anti-discrimination rights, right to deletion, and right to opt-out of sale. However, the VCDPA also grants additional rights to Virginia residents beyond those granted under the CCPA. The right to opt-in to the processing of sensitive data and to appeal are unique to the VCDPA and equip a Virginia resident to get specific opt-in for the processing of sensitive data and to appeal denied requests to uphold the aforementioned rights.
- A key difference here is in the definition of a “consumer” under the VCDPA. Under the VCDPA, Virginia residents are included, but expressly excluded is any person acting in a commercial or employment context. This departs from the CCPA language, which means that the collecting or processing of data between businesses or in an employment relationship both would fall outside the scope of the law.
- Finally, the VCDPA has a narrow enforcement mechanism. The statute grants the Attorney General exclusive authority to enforce its provisions, subject to a 30-day cure period for any alleged violations. The Attorney General may seek injunctive relief and damages for up to $7,500 for each violation, as well as reasonable expenses incurred in investigating and preparing the case, including attorney fees.
- This is a MAJOR difference from the CCPA/CPRA as it does not include a private right of action for citizens whose privacy and data rights are violated.
Colorado Privacy Act
On July 7, 2021, Colorado Governor Jared Polis signed the CPA into law, making Colorado the third state to pass comprehensive consumer privacy legislation. The CPA goes into effect on July 1, 2023 and, similar to the VCDPA, has many similarities to the CCPA/CPRA. The CPA will grant Colorado residents the right to access, correct, and delete the personal data held by organizations subject to the law. It also will give Colorado residents the right to opt-out of the processing of their personal data for purposes of targeted advertising, sale of their personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer. However, the CPA presents multiple key distinctions to its counterparts, including the following:
- The CPA applies to any legal entity that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and that satisfies one or both of the following thresholds during a calendar year: (i) controls or processes personal data of 100,000 or more Colorado residents; and/or (ii) both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents.
- Unlike the CCPA/CPRA, but similar to the VCDPA, the CPA has no revenue threshold requirement to obligate businesses to comply. In addition, the CPA contains a number of exclusions, including both entity-level and data-specific exemptions. For instance, it does not apply to certain entities, including air carriers and national securities associations. Employment records and certain data held by public utilities, state government, and public institutions of higher education are also exempt.
- Like the VCDPA, the CPA expressly exempts individuals acting in a commercial or employment context. A “consumer” under the CPA is a Colorado resident who is acting only in an individual or household context – in other words, in that resident’s personal life as a private citizen. Once again, this is a departure from the CCPA/CPRA language that does not exempt business-to-business and employee data, and the CCPA’s exemptions for such data that are set to expire in 2023.
- When it comes to enforcement, the CPA follows the route of the VCDPA and does not provide consumers with a private right of action either. The CPA is enforceable by Colorado’s Attorney General and state district attorneys, subject to a 60-day cure period for any alleged violation until 2025. A violation of the CPA constitutes a deceptive trade practice for purposes of the Colorado Consumer Protection Act, with violations punishable by civil penalties of up to $2,000 per violation with a maximum penalty of $500,000 for related violations. Each “violation” is measured per consumer and per transaction, meaning that non-compliant businesses can rack up some major fines but can only be pursued through limited public/governmental means.
The arrival of new comprehensive data privacy laws is not surprising. Most companies have been working diligently on privacy efforts and compliance for the last few years, following California’s lead, and the introduction of these new laws should only shift the focus to the specific distinctions within the language of these pieces of legislation. While we cannot cover all the distinctions within this article, understanding the differences between the CCPA, CPRA, VCDPA, and the CPA - though nuanced - is vital to shape and effectuate effective compliance strategy efforts. These new laws and the substantive distinctions between them will only continue to grow and underline the importance of obtaining expert advice on these important topics now and into the future. If any business needs further guidance about the CPRA, the CCPA, the VCDPA, the CPA, or other consumer privacy laws, the experienced attorneys in our Pittsburgh office are available by phone and email to assist. Please feel free to reach out with any questions or concerns.