CCPA vs VCDPA vs CPA — Comparing the Big Three State Privacy Laws
2026-03-01 · Privio Team
California, Virginia, and Colorado were the first three states to enact comprehensive consumer privacy laws. Together, they set the template that most other states have followed. If you're compliant with these three, you're well on your way to handling the rest.
Here's how they compare.
At a Glance
| CCPA/CPRA (California) | VCDPA (Virginia) | CPA (Colorado) | |
|---|---|---|---|
| Effective | Jan 2020 / Jan 2023 | Jan 2023 | Jul 2023 |
| Revenue threshold | $25M+ | None | None |
| Consumer threshold | 100,000+ | 100,000+ | 100,000+ |
| Data sale threshold | 50%+ revenue | 25,000+ consumers | 25,000+ consumers |
| Private right of action | Yes (data breaches) | No | No |
| Opt-out signal required | Yes (GPC) | No | Yes (universal opt-out) |
| Cure period | None | 30 days | 60 days (until 2025) |
Who They Apply To
CCPA/CPRA casts the widest net. If your business has $25M+ in annual revenue — regardless of how much data you handle — CCPA likely applies. It also covers businesses that buy, sell, or share the personal information of 100,000+ California consumers.
VCDPA and CPA don't have revenue thresholds. Instead, they focus purely on data volume: if you process data of 100,000+ consumers in the state, or 25,000+ consumers while deriving revenue from data sales, you're covered.
Key Consumer Rights
All three laws grant consumers similar core rights:
- Right to know what data is collected
- Right to delete personal data
- Right to opt out of data sales / targeted advertising
- Right to data portability
Key differences:
- CCPA includes a right to limit use of sensitive data and a right to correct inaccurate data
- VCDPA and CPA require opt-in consent for processing sensitive data
- CPA mandates recognition of universal opt-out mechanisms (like Global Privacy Control)
Business Obligations
Privacy Notices
All three require clear, accessible privacy policies that disclose categories of data collected, purposes, and consumer rights. CCPA requires specific disclosures at the point of collection.
Data Protection Assessments
VCDPA and CPA require Data Protection Impact Assessments (DPIAs) for high-risk processing activities like targeted advertising, selling data, and processing sensitive data. CCPA/CPRA requires similar risk assessments under CPRA regulations.
Vendor Contracts
All three require contracts with service providers and processors that limit how they can use the data you share with them.
Enforcement & Penalties
- CCPA: Enforced by the California Attorney General and the California Privacy Protection Agency (CPPA). Penalties up to $7,500 per intentional violation. Consumers can sue for data breaches ($100–$750 per incident).
- VCDPA: Enforced by the Virginia AG only. Penalties up to $7,500 per violation, with a 30-day cure period.
- CPA: Enforced by the Colorado AG. Penalties up to $20,000 per violation under the Colorado Consumer Protection Act.
Practical Takeaway
If you comply with all three, you'll cover the vast majority of requirements in other states too. Focus on:
- Implement a comprehensive privacy policy
- Build consumer rights request workflows (access, delete, opt-out)
- Honor universal opt-out signals (GPC)
- Get consent for sensitive data processing
- Conduct data protection assessments for high-risk activities
- Update vendor contracts with data processing agreements