Difference between CDPA, CCPA, CPRA and CPA
Understanding CDPA, CPA, CCPA & CPRA
On March 2, 2021, Governor Ralph Northam signed the Virginia’s Consumer Data Protection Act (CDPA) into law making Virginia the second state to adopt a comprehensive consumer privacy law, after California. It draws heavily from the proposed Washington Privacy Act and brings together concepts from the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). The law is in operation with effect from January 1, 2023.
In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed on November 3, 2020. Most provisions are not operative until Jan. 1, 2023.
The Colorado General Assembly passed the Colorado Privacy Act (CPA), Senate Bill 21-109, on June 8, 2021. Colorado’s governor, Jared Polis signed the Colorado Privacy Act (“CPA”) into law on July 7th, 2021. It will be effective from July 1, 2023.
Similar But in Different Ways
Scope
Section 59.1-572(A)
CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:
– Control or process the personal data of at least 100,000 consumers during a calendar year.
– Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
Section 1798.140(c)
CCPA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one or more of these thresholds:
– Annual gross revenues in excess of $25,000,000.
– Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
– Derives 50% or more of its annual revenues from selling consumers’ personal information
Section 1798.140(d)
CPRA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one of these thresholds:
– Annual gross revenues in excess of $25,000,000 in the preceding calendar year.
– Annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
– Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Section 6-1-1304(1)
Applies to a controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado;
and
– Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
– Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Enforcement date
January 1, 2023
July 1, 2020
July 1, 2023
July 1, 2023
Consumer rights
Section 59.1-573(A)
- Right to be informed and access
- Right to rectification
- Right to deletion
- Right to portability
- Right to opt-out of targeted advertising, the sale of personal data or profiling.
Section 1798.100 – 1798.125
- Right to Know what personal information is collected.
- Right to Data Portability.
- Right to Delete.
- Right to Access personal information.
- Right to Know if Personal Information is Sold.
- Right to Opt-Out of sale.
- Right against discrimination
Section 1798.105 – 1798.125
- Right to Know what personal information is collected.
- Right to Data Portability.
- Right to Delete.
- Right to rectification.
- Right to Access personal information.
- Right to Know if Personal Information is Sold.
- Right to Opt-Out of sale.
- Right to Limit Use and Disclosure of Sensitive Personal Information.
- Right against discrimination.
Section 6-1-1306
- Right to opt-out
- Right of access
- Right to correction
- Right to deletion
- Right to data portability
Personal Information
Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person. It does not include deidentified data or publicly available information (a separately defined term).
Section 1798.140(o)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.
Section 1798.140(v)
Personal information is defined broadly as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not include publicly available information or deidentified or aggregate consumer information.
Section 6-1-1303(17) “Personal Data”
a) Means Information that is linked or reasonably linkable to an identified or identifiable individual;
and
b) does not include de-identified data or publicly available information.
Obligations
Data Minimization:
Controllers are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary.
Data Minimization:
Data minimization is not mandated under CCPA.
Data Minimization:
Prohibits a business from retaining a consumer’s personal information or sensitive personal information for longer than is reasonably necessary for that disclosed purpose.
Duty of data minimization:
A Controller should limit the collection of personal data to what is adequate and relevant.
Controllers are required to maintain reasonable security measures to protect the personal data.
The Private Right of Action provision references a business’s duty to implement and maintain reasonable security procedures and practices.
A business that collects a consumer’s personal information is required to implement reasonable security procedures and practices in accordance with Section 1798.81.5.
A Controller shall take reasonable measures to secure personal data during both storage and use from an unauthorized acquisition.
Controllers are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
Notice at collection, notice of right to opt-out of sale, notice of financial incentive, required notice at collection, notice of right to opt-out, notice of financial incentive.
Notice at collection, broadened to include sensitive personal information and retention information, notice of right to opt out of sale and sharing, notice regarding sensitive personal information required under certain circumstances, notice of financial incentive.
A Controller must provide the data subject with a clear and reasonably accessible privacy notice which includes all the required information and declarations.
Controllers are prohibited from processing sensitive data without obtaining the consumer’s consent.
Categories and purposes of sensitive personal information that are collected or used by businesses must be communicated to consumers, at or before the point of collection.
A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information is prohibited from doing so.
Controller shall obtain the consent of the consumer before processing their sensitive data.
Minors
Section 59.1-572(D)
Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) shall be deemed compliant with any obligation to obtain parental consent under this chapter.
Section 59.1-573(A)
A known child’s parent or legal guardian may invoke consumer rights on behalf of the child regarding processing personal data belonging to the known child.
Section 1798.120(c)
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. This right may be referred to as the “right to opt-in.”
Section 1798.120(d)
A business that has not received consent to sell the minor consumer’s personal information shall be prohibited from selling the personal information unless the consumer subsequently provides express authorization.
Section 1798.120(c)
A business shall not sell or share the personal information of consumers if the business has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 and less than 16, or the consumer’s parent or guardian, in the case of consumers who are less than 13, has affirmatively authorized the sale or sharing of the consumer’s personal information.
Section 1798.120(d)
A business that has not received consent to sell or share the minor consumer’s personal information shall be prohibited from selling or sharing the personal information unless the consumer subsequently provides consent.
Section 6-1-1308(7)
A controller shall not process the personal data of a known child without first obtaining consent from the child’s parent or lawful guardian.
Penalties
Section 59.1-579 and Section 59.1-580
If the controller or processor fails to cure the alleged violation in 30-day period, the attorney general may initiate an action and seek an injunction and civil penalties of up to $7,500 for each violation.
Section 1798.155(b)
A business, service provider or other person that violates the law is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation, to be assessed and recovered in a civil action brought by the attorney general.
Section 1798.199.90
Any business, service provider, contractor or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation and each violation involving the personal information of minor consumers, to be assessed and recovered in a civil action brought by the attorney general.
Section 6-1-1311
Consumers do not have a private right of action under this regulation. The Attorney General and District Attorneys have the authority to enforce this act. Businesses have a 60-day period from the date it receives a notice of violation from the attorney general or a district attorney to cure the violation, however, this provision will be automatically repealed on January 1, 2025, after which the cure mechanism disappears. Any organization violating the CPA norms shall be liable to civil penalties of up to $20,000 per violation imposed under Section 6-1-112 of the Colorado Revised Statutes.
Common provisions
1. Responding consumer requests:
- A 45 days’ period to respond to consumer requests.
- This period may be extended once by 45 additional days when reasonably necessary.
- The business must deliver the requested information free of charge.
2. Purpose limitation as major obligation:
- Prohibited collection of additional categories of personal information or use of personal information collected for additional purposes without providing notice.
3. Right to opt-out of sale:
- Provides consumers with a right to op-out of the sale of their personal information anytime.
Resource:
IAPP
Related Blogs
Data Mapping Requirement for CPRA & CCPA Compliance
Virginia Consumer Data Protection Act – All about CDPA
Colorado Privacy Act (CPA)
CDPA, CCPA and CPRA : Key Difference & Similarities
What is California Consumer Privacy Act?
Key Steps to CCPA Compliance Solution for Your Firm
