When the CCPA was passed into California law in 2018, California was the only state in the US with a baseline privacy law. As of this week, we have a second. Virginia would like to introduce you to the latest acronym in our privacy alphabet soup: CDPA (“Consumer Data Protection Act”).
Several other sources have written excellent summaries of the CDPA, and I encourage everyone to read through the particulars:
High-points of the law:
- The CDPA reads very much like a blending of the CCPA and GDPR, with many borrowed terms and functional requirements. There are important differences, and notably the CDPA is not nearly as thorough as the GDPR and includes many more significant exemptions.
- In particular, if your company is a financial institution covered by the Gramm-Leach-Bliley Act, you are exempt.
- Most digital businesses operating at consumer scale will collect data from more than 100K consumers, and therefore will be covered by the law.
- The CPDA extends the now typical DSAR rights that laws in Europe and California (and many other jurisdictions) provide.
- CDPA uses ‘controller/processor’ terminology from the GDPR and requires DPAs.
- CPDA uses ‘sale’ language similar to the CCPA and provides consumers with the right to opt-out of ‘sale.’ ‘Sale’ is more narrowly defined in CPDA, notably omitting the ‘or other valuable consideration’ language of the CCPA. But the CPDA also includes dedicated language, including opt-out requirements, for ‘targeted advertising,’ which uses terms that seem borrowed from the NAI. In other words, the debates about whether targeted advertising platforms involve ‘sales’ are largely moot.
- CPDA requires impact assessments and other privacy governance steps that are consistent with the GDPR and largely becoming mandatory across the globe.
- CPDA will go into force in January, 2023.
- Enforced will be managed by the Virginia AG.
- No private right of action.
One is a coincidence, two is a trend. Three will be … inevitability? We are rapidly approaching a tipping point, beyond which momentum for a US federal law will become irresistible, regardless of how challenging Congress finds the legislative process. Privacy is a bi-partisan issue, and pre-emption of a patchwork of state laws will be just as popular.
The digital media industry can breathe a sigh of relief that some of its greatest fears were not included in this law (private right of action, opt-in for the use personal data), as the ultimate federal law will likely roll up these state standards.
The GDPR continues to extend its reach. For companies managing compliance and attempting to build a coherent brand strategy, CPDA is yet another indication that the GDPR standard is increasingly the baseline.
Relevant reference: Lucid table comparing CCPA and CPRA to the GDPR
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at email@example.com or visit us on the web or Twitter.