Virginia’s Consumer Data Protection Act (CDPA): What you need to know

In March 2021, Virginia became the latest US state to sign a data privacy law. Governor Ralph Northam signed the Consumer Data Protection Act, otherwise known as the CDPA, into law, with plans for it to go into effect on January 1, 2023. How does CDPA compare against CCPA and GDPR? And as different states propose their own privacy legislation, how should you be preparing? Let’s take a look at some elements of CDPA that could inform how you adapt your compliance strategy.

Between GDPR and CCPA

Virginia’s CDPA is not exactly an East Coast version of the EU’s GDPR or California’s CCPA, but rather reflects elements seen in both.

Similar to GDPR, Virginian data subjects will be granted the right to be informed, access, correction, deletion, and portability. CCPA, by comparison, only grants its subjects the right to know and right to deletion. Though the passage of CPRA in Nov 2020 does move CCPA closer to GDPR, the language in CDPA regarding data subject rights and data controllers more closely resembles GDPR.

CDPA and CCPA both require businesses to provide an option to opt-out of the sale–and with CPRA, the sharing–of personal information. By contrast, the GDPR requires that opt-in consent is obtained for any purposes that are not strictly necessary. And even then, GDPR subjects must be allowed to object to “legitimate interest” when explicit consent is not obtained. 

Applicability under CCPA vs CDPA

CDPA will only apply to businesses that:

1. control or process personal data of at least 100,000 Virginia residents, or
2. derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.

By comparison, the CCPA is applicable to businesses that meet any of the following conditions:

1. Has over $25 million in statutorily adjusted gross annual revenues, or
2. Derives over 50% of its annual revenue from selling California consumers’ personal data, or
3. Buys, sells, receives, or shares for commercial purposes, the personal information of 50,000 or more California residents, households, or devices

Because the CDPA does not have a revenue threshold which expands applicability to businesses that don’t necessarily operate primarily in the state, it will probably end up applying to fewer businesses than CCPA. 

CDPA defines targeted advertising

Under the banner of the sale and sharing of personal information, CDPA defines targeted advertising as a kind of data processing that Virginia consumers must be able to opt-out of. A data controller is considered to be engaging in targeted advertising when they collect personal data from a consumer’s activity on third-party properties they don’t control for the purposes of predicting preferences or interests and to showing advertisements based on those predictions. 

Based on this definition of targeted advertising, ads that are delivered based on activity collected on the data controller’s own properties, also known as first-party data, don’t fall under what consumers can opt-out of. Additionally, because the CDPA specifies consumers as individuals/households outside of a commercial context, Virginians may still be able to be targeted in a B2B context so long as the targeting is based on data about their professional role.

CDPA requires opt-in consent for sensitive categories

Many in the industry are calling CDPA an opt-in rule because it requires opt-in consent for the processing of sensitive data. This includes children’s data, which CCPA also accounts for, as well as sensitive categories such as race, religious affiliation, immigration status, and other sensitive information like geolocation. 

CDPA also introduces “data protection assessments,” similar to the data protection impact assessments required under the GDPR, to evaluate the risks associated with processing sensitive data for profiling purposes. 

Preparing for the US patchwork of state privacy laws

Virginia is only the second state to pass a comprehensive privacy law, but the state laws appear to be ramping up. Just a few months after Virginia passed their privacy law, Colorado passed one as well.

As the most restrictive law, GDPR provides a good base on which to build your compliance strategy as you add new acronyms to your vocabulary. With so many states proposing and preparing to pass their unique set of rules and regulations, applicability and definitions for data, there is no one-size-fits-all solution for compliance.

Sourcepoint helps you manage compliance at scale

Using out of the box consent management solutions built for each new set of requirements is not a strategy that scales well. For years, we have been working closely with some of the world’s largest media brands to deliver consent management and privacy messaging tailored to regional specifications and business problems. 

Our messaging platform, Dialogue, is built for you to deliver messages for different compliance regimes and monetization strategies as they become necessary. Unified SDKs make it easy to add support for new geotargeted compliance regimes in mobile apps. Multi-campaign setup centralizes concurrent campaigns in one place where you can edit the order of messages and set message caps. 

To learn more about how Sourcepoint is best positioned to help you prepare for emerging privacy regulations like the CDPA, contact us.