by 
On January 1, 2023 Virginia’s Consumer Data Privacy Act (CDPA) went into effect. It joins California’s Consumer Privacy Act (CCPA) as the only states with such legislation. In this March 2023 round up, we’ll cover a few updates since the CDPA went into effect, CDPA impact on marketers, along with some key takeaways for handling and implementing changes in response to the CDPA.
Updates
Last updated March 3, 2023.
- Consumer data privacy laws are currently active in two states: California (CCPA) and Virginia (CDPA).
- Colorado, Connecticut, and Utah have signed bills, but they are not active yet. Additional states Texas, Maryland, and Massachusetts have bills introduced, with many others following.
- This month, bills were introduced in Illinois, Kentucky, Minnesota, Montana, Texas, and West Virginia and passed in Indiana, Kentucky, New Jersey, and Oklahoma.
The International Association of Privacy Professionals (IAPP) has implemented a US State Privacy Legislation Tracker for visualizing the current status of data privacy laws throughout the United States:
How does the CDPA impact marketers?
The impact of the CDPA on marketers has to do primarily with customer rights to their own data—access, correction, deletion, and opt-out from selling. Penalties for violations may vary, but applicable companies will be held responsible for damages for up to $7,500 per CDPA violation.
Through the CDPA, customers have the right to
- Access a copy of their personal data. Personal data is any non-public, identifiable data that can be linked to a customer. Businesses must disclose any personal information that the consumer previously provided to the controller.
- Request a correction to their personal data (for example, an update to an incorrectly spelled name).
- Request a deletion to any personal data provided by or obtained about them.
- Opt out of the sale or sharing of personal data.
Additionally, the CDPA outlines rules for data collection and processing, including restrictions on the amount of personal data which can be collected, the purposes it can be used for, security practices, non-discrimination, and consent.
CDPA regulations apply to non-government companies who 1) control or process data from 100,000+ Virginia residents, or 2) process data of 25,000+ Virginia residents and make more than 50% of their gross revenue from selling personal data.
How does the CCPA impact marketers?
The CDPA is modeled after the CCPA in many respects and overlaps with the CCPA in terms of customer rights and penalties.
Companies which violate the CCPA will be fined $7500 for intentional violations or $2500 for unintentional violations. Furthermore, customers have the right to sue companies for uncapped damages.
Through the CDPA, customers have the right to
- Know what personal information is being collected
- Review and request deletion of stored information
- Opt out of the sale or sharing of personal data.
- Be protected from unequal treatment in the event they exercise these rights
Similar to the CDPA, the CCPA doesn’t apply to every company; the CCPA pertains to companies with gross revenues of $25+ million, who buy or sell personal data from 50,000+ California residents, or make more than 50% of their gross revenue from selling Californian consumer data.
What are the keys to handling and implementing changes?
For companies who are impacted, there are several steps that can be taken to facilitate compliance with the CPDA, CCPA and other data privacy laws on the horizon.
- Prepare your data architecture to handle access, correction, and deletion.
- Create a process to ensure data updates are made.
- Be transparent with customers as to how you plan to use their data.
For more details on handling and implementing changes, please refer to Jeffrey Rudolf of Response Labs’ guest article for the Baltimore Chapter of the American Marketing Association entitled “Understanding the California Consumer Privacy Act (CCPA)”.
