International: Comparing Virginia's CDPA with the CPRA and the GDPR
The privacy and data protection field continues to evolve as various laws and regulations are developed, implemented, modified, and replaced. For the last three years, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has been the standard; a principles-based, comprehensive law that applies across the EU and the EEA. Recent laws in two US states, however, are blazing a new trail. California's legislature passed, and the Governor approved, the California Consumer Privacy Act of 2018 ('CCPA'), which became effective from 1 January 2020, but the changes did not stop there. In November 2020, Californians voted to approve Proposition 24, the California Privacy Rights Act of 2020 ('CPRA'), amending the CCPA to expand the privacy rights of California consumers significantly. In Virginia, the legislature passed Senate Bill 1392 to Amend the Code of Virginia by adding in Title 59.1 a Chapter Numbered 52, Consisting of Sections Numbered 59.1-571 - 59.1-581, relating to the Consumer Data Protection Act ('CDPA') in February 2021, and approval by the Governor is expected. John Pilch, Cybersecurity/Privacy Analyst at Woods Rogers PLC, compares and contrasts the CDPA, the CPRA, and the GDPR, and points out important areas of agreement and key differences.
Both the CPRA and the CDPA come into effect from 1 January 2023. The two US laws are not comprehensive, but focus on protecting personal information not covered by existing sectoral laws. Although the US laws state or imply some privacy principles, the more focused approach makes them feel more pragmatic than the GDPR.
One strength of the GDPR is the fact that it is the law in one of the largest economies in the world. The US economy is large enough, and its influence is strong enough, to establish an approach to privacy that can compete with the GDPR. Although there is no US privacy law at the federal level, the CPRA and the CDPA may provide an early look at this developing US consensus on privacy.
What is personal information?
Let's start at the beginning. The core definition of personal information is very similar across all three regimes.
|Definition of personal information|
|Information that is linked or reasonably linkable to an identified or identifiable natural person.||Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.||Information relating to an identified or identifiable natural person.|
The CDPA and the CPRA exempt from their rules personal information covered by existing sectoral laws including, for example:
- health information protected under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and related laws;
- banking and financial information covered by the Gramm-Leach-Bliley Act of 1999 ('GLBA'); and
- credit information regulated under the federal Fair Credit Reporting Act of 1970.
As it is a comprehensive law, the GDPR does not make these exceptions.
At this point, one of the major differences between the US laws and the GDPR arises. The US laws exclude not only publicly-available information but also information about people in an employment or commercial (B2B) context. These three categories of information are at the heart of many complaints about the GDPR, and the application of GDPR-principles led to arguably unreasonable outcomes in some cases, prompting questions such as:
- Why do I need to have consent or a 'legitimate interest' to collect publicly-available data?
- Why is it a problem for my employees to have work clothes with a name tag on the front? Is there really a difference if the tag says 'Smith,' 'J. Smith,' or 'James Smith?'
- Why can't I keep the work email addresses and work phone numbers of contacts at key vendors or customers, without writing a formal memo to justify it?
- Do I really need to collect consent from a person my employee lists as an emergency contact?
These requirements did not make sense to many people in the US (and in Europe), so the US laws specifically excluded them.
What is 'sensitive' or 'special category' personal information?
All three laws use the concept that some private information is more private than others. This 'sensitive' or 'special category' personal information is defined similarly in the laws, but the CDPA rules regarding the collection and processing of the information are more similar to the GDPR than to the CPRA.
|Definition of 'sensitive' or 'special category' data|
|Personal data revealing:
Excludes publicly-available information, as such information is excluded in the definition of 'personal data.'
|Personal information revealing:
Excludes publicly-available information.
|Personal data revealing:
Excludes data made public by the data subject.
The rules regarding processing of 'special category' data under the GDPR are very strict. In most cases, processing is prohibited unless the data subject provides explicit consent. The CDPA takes the same 'opt-in' approach, requiring covered entities to 'not process sensitive data concerning a consumer without obtaining the consumer's consent.' The CPRA uses an 'opt-out' approach, although it goes to great lengths to ensure the 'opt-out' process is readily available and easy to use for the data subject.
It is also interesting that, under the CPRA, 'sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer … shall be treated as personal information,' rather than sensitive information. An example of this is a photograph of a person, which could reveal race, ethnicity, or religious beliefs even if that were not the purpose for taking the photograph. The CDPA gets to a similar result by declaring that 'biometric data' does not include physical or digital photographs, video or audio recordings, or data generated from such images and recordings.
What entities are required to follow these rules?
The CDPA and the CPRA are much more focused than the GDPR when it comes to the entities covered by the law. The US laws try to avoid burdening small businesses with privacy requirements, while recognising that some small businesses may process a lot of personal information. The US laws also exclude government entities and non-profits, either explicitly or implicitly. As a principles-driven, comprehensive law, the GDPR is not flexible enough to make these exceptions.
|Persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:
|A legal entity doing business in California for profit, that:
Subsidiaries and joint ventures that are at least 40% owned are also included.
|The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Who enforces the rules?
Each of the laws identifies one or more regulators that will provide enforcement.
|Virginia's Attorney General.||California Privacy Protection Agency, an agency of the California government.||National or sub-national data protection authorities ('DPAs'), with 'one-stop shop' and 'lead authority' concepts, and supported by a specified 'consistency mechanism.'|
The regulators may issue warnings or orders to cease violations, may require violators to suspend certain operations entirely, and may levy fines or penalties, as noted below:
No private right of action.
Private right of action is also available.
Private right of action is also available.
One difference that could become quite important over time is the manner in which the regulators are funded. Under the GDPR, EU countries fund their own DPAs. The DPAs cannot generate additional funding through fines. This is not the case under the US laws. In addition to state funding, the CDPA and the CPRA each establish a process through which funds raised through fines may be appropriated by the relevant regulator. Some EU DPAs are finding it difficult to handle the volume and complexity of the cases they face, given their budgetary constraints. It will be interesting to see if the US approach is more successful in this regard.
Data subject rights
The rights of data subjects are very similar across the three laws. All three require notices to be provided to the consumers or data subjects, as well as the following:
|Data subject rights|
Entity must respond without delay, within 45 days at most.
Entity must respond within 45 days.
Entity must respond without delay, within 30 days at most.
The GDPR's right to object to processing includes processing for direct marketing purposes, which matches up well with the more detailed items in the US laws.
All three laws require implementation of controls.
|Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.||Implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorised or illegal access, destruction, use, modification, or disclosure.||Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.|
The differences are minimal. The use of 'reasonable' in the CDPA and the CPRA seems to match up well with the GDPR's 'taking into account the state of the art (and) the costs of implementation.' None of the laws specify particular controls, although the GDPR provides a few examples, notably pseudonymisation and encryption. There seems to be an agreement that the list of generally-accepted controls or best practices is better developed, maintained, and controlled elsewhere, such as in the the Center for Internet Security ('CIS') Top 20 Critical Security Controls, the National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity, the Cloud Controls Matrix of the Cloud Security Alliance, and similar documents.
Some requirements are similar across all three laws, although the words used are different. These requirements include:
- the GDPR's Data Protection Impact Assessments, the CDPA's Data Protection Assessments, and the CPRA's periodic Risk Assessment are all risk-based assessments weighing the benefits of processing against the possible risk to the data subjects; and
- vendors who process personal information on behalf of a covered entity are drawn into virtually the same requirements faced by the covered entity itself. This potential loophole was closed in all three laws.
The GDPR contains some requirements that don't exist in the CDPA and the CPRA. These requirements include:
- appointing a data protection officer;
- a Register of Processing Activities; and
- special handling of most international transfers of personal information.
In conclusion, authors of the two US laws clearly observed and learned from the GDPR experience. They were able to incorporate most of the strengths of the GDPR while eliminating or reducing the impact of some of its weaknesses. They have established a US approach to data privacy that is not the same as GDPR. The GDPR is probably still the global standard, but with the CDPA and the CPRA spurring other US states to adopt privacy laws of their own, and perhaps leading to a US federal privacy law in a few years, other countries may consider the US approach as a viable alternative when they establish or modify their own privacy and data protection laws.
John Pilch Cybersecurity/Privacy Analyst
Woods Rogers PLC, Richmond