U.S. consumer data privacy laws have much in common – both with each other and with the laws from which they took their inspiration – but subtle differences may trip up even the most seasoned compliance professionals. Here, Bloomberg Law provides an easy-to-read comparison of the EU’s General Data Protection Regulation (GDPR) against the first three data privacy laws in the U.S: California, Virginia, and Colorado.
[Download the full chart for all the critical information at a glance.]
GDPR | CCPA | CPRA | VCDPA | CPA | |
Name | General Data Protection Regulation | California Consumer Privacy Act | California Privacy Rights Act | Consumer Data Protection Act | Colorado Privacy Act |
Citation | EU/2016/679 | Cal. Civ. Code § 1798.100 et seq. | Cal. Civ. Code § 1798.100 et seq. | Va. Code § 59.1-571 et seq. | Colo. Rev. Stat. § 6-1-1301 et seq. |
Jurisdiction | European Union | California | California | Virginia | Colorado |
Model | Opt-in | Opt-out | Opt-out | Opt-out | Opt-out |
Sector | Non-sectoral | Non-sectoral | Non-sectoral | Non-sectoral | Non-sectoral |
Effective date(s) | May 25, 2018 | Jan. 1, 2020 | Dec. 16, 2020; Jan. 1, 2023 | Jan. 1, 2023 | Jul. 1, 2023 |
[Download the full chart for all the critical information at a glance.]
GDPR | CCPA | CPRA | VCDPA | CPA | |
Whose data is protected? | |||||
Statutory term | Data subject | Consumer | Consumer | Consumer | Consumer |
Defined as | Natural person in the EU | Natural person who is a CA resident | Natural person who is a CA resident | Natural person who is a VA resident | Individual who is a CO resident |
What types of data are protected? | |||||
Statutory term | Personal data | Personal information | Personal information | Personal data | Personal data |
Defined as | Any information relating to an identified or identifiable natural person | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household | Any information that is linked or reasonably linkable to an identified or identifiable natural person | Information that is linked or reasonably linkable to an identified or identifiable individual |
Definition excludes de-identified data | GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization – which could be attributed to a natural person by the use of additional information – should be considered personal data | Yes, but see provisions regarding reidentification of de-identified information – Cal. Civ. Code §1798.148 | Yes, but see provisions regarding reidentification of de-identified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “de-identified” – Cal. Civ. Code §l798.l85(a) | Yes, but special requirements apply to de-identified data. See Va. Code§ 59.1-581. | Yes, but special requirements apply to de-identified data. See Colo. Rev. Stat.§ 6-1-1307. |
Definition excludes publicly available info | No | Yes | Yes | Yes | Yes |
Definition excludes aggregate info | Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes | Yes | Yes | Not specified | Not specified |
[Download the full chart for all the critical information at a glance.]
The General Data Protection Regulation, or GDPR, defines the data subject as a natural person in the EU. The personal data covered by the law is defined as any information relating to an identified or identifiable natural person. It excludes “pseudonymised” data, but does not exclude publicly available data. Recital 162 indicates that GDPR applies to the processing of personal data for statistical purposes.
The California Consumer Privacy Act (CCPA) protects the consumer, which is defined as a natural person who is a California resident. CCPA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA excludes de-identified data, publicly available information, and aggregate information.
The Virginia Consumer Data Protection Act, or VCDPA, protects the consumer, defined as a natural person who is a Virginia resident. It protects personal information, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. The VCDPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.
The Colorado Privacy Act (CPA) protects the consumer, defined as an individual who is a Colorado resident. It protects personal data, which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The CPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.
GDPR | CCPA | CPRA | VCDPA | CPA | |
Jurisdictional threshold | Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior | “Does business” in California | “Does business” in California | “Conduct business” in Virginia or produce products or services “targeted” to Virginia residents | “Conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents |
Revenue threshold | None | Annual gross revenues greater than $25 million | Annual gross revenues greater than $25 million in preceding calendar year | None | None |
Processing threshold | None | Data of 50,000 or more consumers | Data of 100,000 or more consumers | Data of 100,000 or more consumers | Data of 100,000 or more consumers |
Broker threshold | None | At least 50% of revenue from selling of data | At least 50% of revenue from selling or sharing of data | Data of 25,000 or more consumers + at least 50% of revenue from sale of data | Data of 25,000 or more consumers + derives revenue or receives discount from sale of data |
[Download the full chart for all the critical information at a glance.]
The GDPR requires compliance by any entity that processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior. There is no revenue threshold, processing threshold, or broker threshold.
The CCPA applies to entities that “do business” in California that meet the following thresholds:
The CPRA applies to entities that “do business” in California that meet the following thresholds:
The VCDPA applies to entities that “conduct business” in Virginia or produce products or services “targeted” to Virginia residents. There is no revenue threshold, but the law applies only to entities that process the data of 100,000 or more consumers or companies that process the data of at least 25,000 consumers, while deriving more than 50 percent of gross revenue from the sale of that data.
The CPA applies to any entity that “conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents. Entities must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers, or (ii) the personal data of at least 25,000 consumers, while deriving revenue or receiving a discount from the sale of that data.
GDPR | CCPA | CPRA | VCDPA | CPA | |
Noncompliance | Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher | In actions brought by AG, civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater | Administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater | If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation | For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice |
[Download the full chart for all the critical information at a glance.]
The consequences of noncompliance with GDPR are administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
In actions brought by the attorney general, CCPA violators face civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the consequences are statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
The consequences of noncompliance of CPRA are administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the penalty is statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.
For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice.
On the frontier of privacy and data security, change happens. And with evolving technologies come new risks and responsibilities. Map your consumer data privacy compliance strategy and stay ahead of GDPR developments with essential privacy and data security news, expert analysis, and practice tools from Bloomberg Law.
Watch the on-demand replay of our latest In-House Forum, Global Privacy Dynamics: Navigating Data Laws and AI Challenges, to hear important privacy issues facing in-house legal teams with legislative and regulatory updates and insights for evaluating new technology and consumer data policies.
Privacy and data security compliance challenges are real. So are our solutions. Request a demo to learn more.