VCDPA vs CCPA: Overview of Differences & Similarities

Table of Contents

Data privacy laws can be really confusing for businesses. With new state regulations popping up across the United States, it’s hard to keep track of everything. The VCDPA and CCPA aim to give consumers more control over the personal data that companies collect. But they go about it in somewhat different ways.

In this article, we’ll compare VCDPA vs CCPA and explain what each one covers, how they define personal information, the rights folks have under them, and other big points. Whether you’re just learning about privacy laws or want a refresher, this will give you a good sense of where Virginia and California stand in terms of data privacy.

Let’s dive in.

Key Takeaways

The VCDPA and CCPA laws have some big differences, especially in how they define personal information, what kinds of businesses have to follow the laws, and small differences in what businesses must do to ensure compliance.

Both laws give consumers more rights to access, change, and delete their personal information, which shows how much more important it’s becoming in our digital world for people to control their own data.

Being transparent about how data is collected and used is a major focus of the VCDPA and CCPA too. This means businesses have to be really clear and upfront in their privacy policies and practices about what they’re doing.

What is the VCDPA?

What is the VCDPA (1).jpg

What is the VCDPA (1).jpg

The Virginia Consumer Data Protection Act is a new privacy law that shares many similarities to California data privacy laws but with a few key differences. This law went into effect in January 2023, so it’s pretty new.

It applies to businesses that operate in Virginia or process the data of Virginian residents and processes at least 100,000 consumers, or at least 25,000 consumers, if over 50% of their revenue comes from selling personal data.

The main focus of VCDPA is protecting the personal information of Virginia residents, particularly VCDPA sensitive data, and it makes sure businesses are handling this type of data with utmost care and protection.

When VCDPA talks about personal data, it means any details that can be connected to a specific person – things like name, address, online usernames, etc. It does not apply to people for commercial or employment purposes.

So, if you’re a medium or large business with operations in Virginia or dealing with Virginia consumers, you must comply with the VCDPA provisions. It doesn’t matter how big or small you are as a business. What matters is how much customer data you have and if you make money from that data.

What is the CCPA?

What is the CCPA.jpg

What is the CCPA.jpg

The California Consumer Privacy Act (CCPA), now CPRA (California Privacy Rights Act), is a groundbreaking privacy law in the United States, setting a standard for data privacy and consumer rights. The CCPA became effective in January 2020 and has been a game-changer for businesses and consumers alike in California.

The main goal of the CCPA is to give Californians more say over their personal details. If your business works with Californians and makes over $25 million per year, has the personal info of more than 50,000 people, or makes over half its money by selling consumer data, you need to follow the CCPA.

Even if they aren’t located in California, and the law is especially relevant for businesses with lots of consumers in California or businesses that earn a significant portion of their revenue from selling consumers’ data.

Under the CCPA, personal information covers a wide range of consumers. It includes obvious stuff like names and addresses but also less obvious things like browsing history and location data. The CCPA defines consumers broadly, so it does apply to data for employment and commercial purposes.

The CCPA empowers consumers with several rights. A key aspect of CCPA, includes the right to know about the personal information a business collects about them and how it is used and shared. Consumers also have the right to delete personal information held by businesses and the right to opt out of the sale of their personal information.

Differences Between VCDPA vs CCPA

Differences Between VCDPA vs CCPA.png

Differences Between VCDPA vs CCPA.png

When it comes to privacy laws in the U.S., Virginia’s Consumer Data Protection Act (VCDPA) and California’s Consumer Privacy Rights Act (CPRA) stand out. They both aim to protect personal information and require businesses to be clear about their practices. However, there are key differences between them that are crucial for businesses to understand.

Scope of Each Law

The Virginia Consumer Data Protection Act (VCDPA) applies to businesses called controllers that either do business in Virginia or target Virginia residents and handle the personal data of at least 100,000 consumers or at least 25,000 consumers if over 50% of their revenue comes from selling personal data.

The CCPA, now California Privacy Rights Act (CPRA) applies to businesses that operate for profit in California, collect Californians’ personal information, and decide how to process that data.

The law affects businesses with over $25 million in revenue or those that deal with the personal info of more than 100,000 consumers/households or make over 50% of their money by selling or sharing personal information.

Definitions of Personal Information

The VCDPA defines personal data as information tied to a person, not counting anything public or with no name attached.

Under California’s law, meanwhile, defines personal information as information that identifies or relates to a certain consumer or household. So public info, stuff obtained legally that’s a public concern, things with no names, and aggregate consumer info don’t count as personal under CCPA or CPRA.

Consumer Rights

VCDPA says that consumers have the right to access, correct, delete, and obtain a portable copy of their personal data and a right to non-discrimination. They can opt out of data processing for targeted advertising, sales, or profiling. Employees are not covered under these rights.

CPRA extends the rights under CCPA, allowing consumers to know what personal information is collected, sold, or shared and to access, correct, limit, obtain a copy, and delete it. They can also opt out of the sale or sharing of their personal information and limit the use of sensitive personal information. Under California law, employee data is protected by the act.

Privacy Policy Requirements

The Virginia Consumer Data Protection Act says companies need to write privacy policies that are clear and transparent. The privacy policy should explain what kinds of personal information the businesses collect, why they use it, third parties, and how people exercise their data rights (among other things).

The California Privacy Rights Act went even further with their privacy law. Their policies need more details on sources of data collection and metrics on consumer requests.

Additionally, on top of having a privacy policy, providing notice at the moment of data collection and giving information about an individual’s right to opt-out as well as any financial benefits, is required under the California privacy law.

The privacy policy must also be “just-in-time” under the CCPA, which means, it requires notifications at or prior to the moment of gathering data.


The VCDPA is enforced by the Virginia Attorney-General, which enforces fines of up to $7,500 per violation. Consumers do not have the right to take legal for companies violating the VCDPA.

The CCPA/CPRA is enforced by the California Privacy Protection Agency and the California Attorney-General. The CCPA fine can reach up to $2,500 unintentional violations or $7,500 for each intentional violation, including those involving children’s personal information. Consumers do have the right to take legal action for companies violating the CCPA/CPRA.

Similarities Between VCDPA vs CCPA

Similarities Between VCDPA vs CCPA.png

Similarities Between VCDPA vs CCPA.png

While the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA) have their differences, they also share several key similarities. These commonalities are crucial in shaping how businesses handle consumer data and ensure privacy.

Transparency and Accountability

Both the VCDPA and CCPA emphasize the importance of transparency and accountability in data handling.

Businesses are required to be clear about how they collect, use, and share consumer data. This means providing detailed privacy notices and being upfront about data practices. Consumers must also be made aware of their rights.

Reasonable Security of Data

The VCDPA and CCPA both require businesses to implement reasonable security measures for data protection to safeguard consumer data. This means taking steps to prevent data breaches and unauthorized access to personal information.

This can be encrypted data, strong and regularly changed passwords, and using technologies to detect and respond appropriately to any instances of suspicious activity. Businesses must also be able to demonstrate how their practices meet this security.

Businesses must also conduct regular data protection assessments to help identify any security issues or vulnerabilities. Once identified, appropriate measures should be taken quickly in order to ensure the continued protection of consumer data.

Data Breach Notification

In the event of a data breach, both laws require businesses to notify affected consumers within 30 days of the incident. This ensures that consumers are aware of potential risks to their personal information and can take appropriate steps to protect themselves.

Purpose Limitation

Both laws restrict businesses from using consumer data for purposes that are not disclosed or unrelated to the reasons for which the data was collected. This principle of purpose limitation ensures that consumer data is not misused.


Staying on top of privacy laws is hard work! But we can’t just ignore it at the same time. Consumers care about how we use their data. And laws like the VCDPA and CCPA have strict requirements for businesses to follow.

At Captain Compliance, we make this easier with our comprehensive compliance services. We offer outsourced compliance solutions so you can follow the rules and keep your consumers happy.

From writing compliant privacy policies to providing compliance training for your team, we’ve got you covered.

Corporate compliance isn’t just about checking boxes. It shows consumers you respect their data. And it keeps your reputation strong. Get in touch and let Captain Compliance guide you through the complex maze of regulations.


What is the CCPA, and Who Does it Affect?

The California Consumer Privacy Act (CCPA) protects Californians’ personal data. It applies to businesses with over $25 million in revenue, those handling personal information of 50,000+ California residents, or those earning the most income from selling their data.

Are you curious if your business needs to follow CCPA? Check out our detailed guide on CCPA compliance!

How Does CCPA Impact Consumer Data Usage?

CCPA changes the game by giving Californians more control over their data. Businesses must tell consumers what data they collect and why. Plus, consumers can say no to their data being sold. It’s all about respecting consumer choices.

Need help navigating CCPA’s impact on data usage? We’re here to assist!

What Are the Key Differences in Data Subject Rights Under VCDPA and CCPA?

The key differences in data subject rights under VCDPA and CCPA include the inclusion of employees within the scope of consumer rights protection under CCPA, whereas they are not explicitly covered by VCDPA.

Additionally, while both laws provide consumers with access to their personal information and the right to delete it, CCPA goes a step further by giving consumers the right to know what type of personal information is sold or shared about them. Finally, the CPRA adds new rights, such as limiting the use of personal information, which is not explicitly present in VCDPA.

Confused about data subject rights under these laws? Explore our resources for clarity!

How Do VCDPA and CCPA Affect Business Privacy Policies?

Both VCDPA and CCPA require businesses to have transparent privacy policies. VCDPA and CCPA demand clear explanations of data usage, along with information about consumer rights. It’s crucial for businesses to tailor their policies according to the differences, though.

Need help crafting compliant privacy policies? Contact us for expert advice!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.