Following the Footsteps of the California Privacy Rights Act (CPRA) – Virginia’s Consumer Data Protection Act (CDPA) and Colorado’s Consumer Privacy Act (CPA)
Following the Footsteps of the California Privacy Rights Act (CPRA) – Virginia’s Consumer Data Protection Act (CDPA) and Colorado’s Consumer Privacy Act (CPA)
Following in the footsteps of the California Privacy Rights Act of 2020 (CPRA), which becomes effective on January 1st, 2023, Virginia and Colorado have passed privacy legislation that creates more consumer data rights. Similar to California’s CPRA, Virginia’s Consumer Data Protection Act (CDPA) and Colorado’s Consumer Privacy Act (CPA) both establish new regulations for businesses to abide by, granting consumers more control over their personal data and further impacting the future of consumer data usage. Although some major details of the regulations differ between states, there are many similarities, and I expect to see similar regulations become the norm for other states as time passes.
Virginia’s Consumer Data Protection Act (CDPA)
After California, Virginia became the next state to adopt a similar consumer data privacy law when the Consumer Data Protection Act (CDPA) was signed on March 2nd, 2021. Just like California’s CPRA, Virginia’s law goes into effect on January 1st, 2023. Its main goal is to establish consumer control of their data and create accountability for businesses in their handling of it.
The new regulations grant Virginia consumers the right to submit a request to access to any data a business has collected to review, correct inaccuracies, or even delete it. Businesses have 45 days to respond to a consumer request. Consumers also have the right to opt out of targeted advertising and the sale of personal data, which they decide on a business-by-business basis. These regulations apply to companies that conduct business in Virginia and control the personal data for at least 100,000 Virginia consumers. They also apply to businesses that control personal data of at least 25,000 Virginia consumers, if they make over 50% of their revenue through selling personal data.
The regulations include ‘profiling’ practices that are performed based on personal data that influences how a business handles approving or denying services related to finances, housing, insurance, education, healthcare, or access to necessities. The CDPA also adds extra protection for personal data deemed ‘sensitive’, requiring an opt in from the consumers in order to collect it. This type of data may include ethnicity, religion, health, sexual orientation, citizenship status, or data collected from a child under 13.
As far as limitations go, there are exemptions as to which data is included as well as open-ended areas that will be amended later. One of the major limitations is that these new rights only apply ‘in an individual or household context’, i.e., not in the business arena. Similar to the CPRA, Virginia’s CDPA also excludes data made available to the general public, such as through social media. While consumers can prevent the sale of their personal data, businesses will still be able to transfer this data to an affiliated business, have a third-party process it, and share the data if a consumer buys their products or services. As far as targeted advertising, there are also some limitations. When a consumer opts out, they can prevent advertising based on an external business, but there are exemptions for targeting data collected at any other point. Businesses can also use the data of a consumer who has opted out for their own research purposes, to see the effectiveness of its marketing.
Unlike California’s personal data legislation, there is private right of action for violations. Virginia’s Attorney General will be overseeing the CDPA. Any businesses with alleged violations will receive detailed written notices and given a 30-day grace period to correct their practices. Any violations not fixed within the allotted time may incur up to $7,500 per violation.
Colorado’s Consumer Privacy Act (CPA)
Colorado was next to pass privacy legislation, under its Consumer Privacy Act (CPA), which was signed into law on July 8th, 2021, and becomes effective on July 1st, 2023, six months after the California and Virginia legislation. The CPA contains another set of comprehensive personal data regulations meant to give consumers within Colorado more control and protection.
Colorado’s CPA applies to all businesses within the state (or those that serve Colorado residents) that either control the personal data of 100,000 or more Colorado consumers or control the personal data of 25,000 or more Colorado consumers and financially benefit from the sale of personal data. This is broader than the Virginia legislation, citing no necessary percentage of revenue. However, like the CDPA, Colorado’s CPA also only protects consumers acting ‘in their individual or household contexts,” with the same exemption of publicly available information.
Similar to the Virginia law, the CPA grants consumers the right to access a business’ collection of their personal data to correct inaccuracies or delete. Once a consumer makes a request for access, the business has 45 days to reply. Under the CPA, businesses will also be required to provide privacy notices to their consumers while also conducting data protection tests for any data processing that may involve a risk of harm to their consumers. There is no private right of action, as with the Virginia legislation, and the Attorney General will oversee enforcement.
Unlike Virginia’s CPRA, the CPA gives consumers the right to opt out of not only the sale of their personal data, but also its use for targeted marketing. The CPA also includes a “user-selected universal opt-out mechanism” that is a feature unique to Colorado. This mechanism may become available when the regulations go into effect, but will be mandatory starting July 1st, 2024.
If either of these new pieces of legislation impacts your business, consider using the period of time before they become effective to get your business ready to comply. Even exempt businesses within these states – or businesses in states that have yet to create their own personal data privacy regulations – should stay updated on these regulations. Looking to the future, I expect to see more of these regulations and it’s best to stay prepared and keep the topic on your mind. Whether your state ends up taking Virginia’s more business-friendly approach or adheres to harsher standards, preparing for the possibility of new data legislation to tackle rising cybersecurity risks is a wise decision.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.