Even as California has progressed to version 2.0 of its state data protection law, most U.S. states have yet to release their version 1.0. But Virginia seems poised to buck the trend and pass the next major state privacy law, the Consumer Data Protection Act. This week we’ll be blogging about some of the key features of the proposed CDPA and how they sit between California’s law, the CCPA, and Europe’s law, the GDPR. We plan to cover comparisons like the scope of “personal data,” what businesses are covered, how the law interacts with other US data protection laws, and—perhaps most important—the treatment of data “sales.” But for today, we want to address the gating question of how to read the law. Is the law written in Californian, or European? The choice of language is no mere academic matter; the choice reflects the law’s fundamental assumptions and commitments.
First of all, it’s the Virginia Consumer Data Protection Law. So right there, the law seems to be written in European like the General Data Protection Regulation. California, in contrast, has its Consumer Privacy Act. The word “Privacy” imports a lot of concepts and connotations. It has a rich history in the law of searches of persons and homes and papers and communications—think the Electronic Communications Privacy Act. Privacy also brings a connotation of intentional secrecy—hey, keep your eyes to yourself. But data protection is different. Data protection laws tend to be about giving people rights in data that’s about them from an equitable standpoint—sweat the brow, anyone?—and sometimes that’s anti-secrecy. For example, under many data protection laws, you should be able to demand that a company tell you what data it holds relating to you, which isn’t about secrecy but the opposite. You can ask a company to transfer your data to another company, which similarly encourages more personal data sharing, not less. Which is why the California Consumer Privacy Act was probably misnamed from the start. The Virginia law is more upfront: it’s about setting the terms on which people share and use personal data, not privacy in the sense of secrecy.
The CDPA is also about Personal Data, not Personal Information or Personally-Identifiable Information or some of the other terms often used in the U.S. Again, the language is more European than Californian. But in this case, the Californian term probably would have been more apt. “Data,” in the traditional mathematical or computer science sense, denotes information that’s structured in tabular or some other highly organized form. That sort of data is easily searched, cataloged, calculated, restructured, etc. That’s why some older privacy laws, the U.S.’s Privacy Act of 1974, only govern information within a “system of records.” That law, which applies to the U.S. government, didn’t require government employees to scour every letter or paper in the basement archives looking for someone’s name; it only required the government to take actions on organized data that could readily be looked up and acted upon. That construct was supposed to extent to the GDPR as well. The GDPR is only meant to apply to personal data that is “part of a filing system.” But there’s always been an element of slight-of-hand by data protection advocates and authorities, and data protection has steadily encroached into the realm of unstructured personal information. The CCPA is probably a bit more honest insofar as it governs personal “information” rather than “personal data.”
Like California’s law, Virginia’s law is about Consumers, but there’s some slight-of-hand here, too. Just like the CCPA, the CDPA law defines “consumer” to mean any resident. That was a problem when the CCPA was first enacted; was this “consumer” law really meant to govern data protection for employees or people in the B2B context? The California legislature later amended the CCPA so that most (but not all) provisions wouldn’t apply to people in those categories. The Virginia CDPA handles the problem in a more straightforward way: “consumer” means someone acting in an individual or household context—thereby excluding people acting in the B2B context—and excludes employees and job applicants. Which means people in those categories are outside the CDPA altogether.
Looking back to Europe, Virginia’s law uses the familiar GDPR categories of “data controller” and “data processor,” rather than the CCPA’s unusual “business” and “service provider” concepts. Practitioners may rejoice, since common terminology simplifies the drafting of contracts that might involve both laws. But again, there’s more to it. California’s CCPA stuffed a lot of concepts into the definition of “business,” such as the exclusion of non-profits and various thresholds for the law’s application. The Virginia law defines “data controller” in the more straightforward way—the person who determines the means and purposes of processing—and then puts the scope of its application into a separate section.
Finally, there’s the biggie: the definition of Sale of Personal Data. That’s a concept that’s basically foreign to the GDPR, whose central concept is personal data processing of all sorts. In contrast, the primary preoccupation of the CCPA is personal data sales. The CCPA’s definition was anything but straightforward. Quite the contrary, it was so counterintuitive that many companies still enclose “sale” in quotation marks in their privacy policies, and at least one major company's policy distinguishes between the CCPA’s definition and “the conventional sense” of the word. Is the Virginia law’s definition similarly counterintuitive? That critical question will be the topic of another post.