Today’s third installment of this series discussing the proposed Virginia Consumer Data Protection Act covers, well, what the Virginia Consumer Data Protection Act covers.

By way of reminder, GDPR’s coverage is defined by two limits: 

  1. an article governing its material scope (private entities processing personal data)
  2. one governing territorial scope (processing of data within the context of an establishment in Europe, processing data about European customers, and tracking of Europeans individuals, generally). 

The CCPA’s scope was far more complex because it was defined by four separate limits:

  1. It covers only “businesses,” which meant entities doing business in California and meeting various thresholds for size and data usage. 
  2. The CCPA covers only data of Californians. (This is in contrast to the GDPR, which can cover personal data of non-Europeans if the processing happens in the context of a European establishment.) 
  3. The CCPA excludes various personal data processing already covered by other privacy laws like HIPAA or the Fair Credit Reporting Act.
  4. The CCPA excludes activities that otherwise would come within its scope if all aspects of the data processing occurred outside of California.

 As if having four overlapping criteria weren’t complex enough, the “business” construct turned out to be notoriously difficult: The CCPA didn’t define “doing business in California” and pre-existing California law on that phrase was sparse. Did the CCPA intend to cover someone who operates entirely outside California but sometimes sends products to California buyers? How about someone who has a website that California consumers sometimes visit? Making life more complicated, the CCPA’s idea of a “business” didn’t quite correspond to the familiar idea of a legal entity. Instead, the law’s complex and ambiguous wording seemed to encompass corporate groups under common control and sharing common branding. That construct made it hard to apply some of the thresholds—do you count them entity-by-entity, or over the whole “business”?

The proposed Virginia CDPA’s coverage turns out to be materially simpler:

  1. It applies to controllers doing business in Virginia or targeting Virginia consumers, period. The express inclusion of a “targeting” prong should help avoid some of the CCPA’s vagueness around “doing business.” And because “controllers” under the proposed law corresponds 1:1 to legal entities, it avoids the CCPA’s ambiguity about “businesses” that encompass affiliated groups of entities. In turn, that simplifies the application of the law’s thresholds. 
  2. The Virginia CDPA would cover only Virginians. 
  3. The proposed Virginia CDPA contains various carve outs for data already regulated under various other privacy laws. In particular, it provides a number of carve-outs to exclude data that is already regulated under HIPAA or clinical trial laws and regulations, and provides a measure of buffer around such data aimed at ensuring that the law doesn’t get in the way of providing healthcare or dealing with public health emergencies. (The CCPA’s carveouts for medical data were initially pretty narrow. Then came Covid, which led to an important amendment late last year expanding those carveouts.) 
  4. What the proposed CDPA doesn’t seem to have is an “entirely outside of the state” exemption. So, since Peter’s a Virginian, the CDPA would potentially follow him wherever he goes. But not Mena, who’s a New Yorker.

In this series: 

Part I: Language

Part II: The Definition of Personal Data

Part III: Scope