by 
On January 1, 2023, Virginia’s Consumer Data Privacy Act (CDPA) went into effect. It joins California’s Consumer Privacy Act (CCPA) as the only state with such legislation. In this August 2023 round-up, we’ll cover a few updates since the CDPA went into effect, CDPA’s impact on marketers, and some key takeaways for handling and implementing changes in response to the CDPA.
Updates
Last updated August 2, 2023
- Consumer data privacy laws are currently active in four states: California (CCPA), Virginia (CDPA), Connecticut (Connecticut Data Privacy Act), and Colorado (Colorado Privacy Act).
- The Connecticut Data Privacy Act and Colorado Privacy Act went into effect on July 1, 2023.
- Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Utah have signed bills, but they are not active yet.
- The Delaware Personal Data Privacy Act was passed on June 30, 2023.
The International Association of Privacy Professionals (IAPP) has implemented a US State Privacy Legislation Tracker for visualizing the current status of data privacy laws throughout the United States:
How does the CDPA impact marketers?
The impact of the CDPA on marketers has to do primarily with customer rights to their data—access, correction, deletion, and opt-out from selling. Penalties for violations may vary, but applicable companies will be held responsible for damages for up to $7,500 per CDPA violation.
Through the CDPA, customers have the right to
- Access a copy of their data. Personal data is any non-public, identifiable data that can be linked to a customer. Businesses must disclose any personal information that the consumer previously provided to the controller.
- Request a correction to their data (for example, an update to an incorrectly spelled name).
- Request a deletion of any personal data provided by or obtained about them.
- Opt out of the sale or sharing of personal data.
Additionally, the CDPA outlines rules for data collection and processing, including restrictions on the amount of personal data that can be collected, the purposes it can be used, security practices, non-discrimination, and consent.
CDPA regulations apply to non-government companies who 1) control or process data from 100,000+ Virginia residents, or 2) process data of 25,000+ Virginia residents and make more than 50% of their gross revenue from selling personal data.
What else do I need to know?
The CDPA is modeled after the CCPA in many respects and overlaps with the CCPA in terms of customer rights and penalties.
Companies that violate the CCPA will be fined $7500 for intentional violations or $2500 for unintentional violations. Furthermore, customers have the right to sue companies for uncapped damages.
Through the CDPA, customers have the right to
- Know what personal information is being collected
- Review and request deletion of stored information
- Opt out of the sale or sharing of personal data.
- Be protected from unequal treatment in the event they exercise these rights
Similar to the CDPA, the CCPA doesn’t apply to every company; the CCPA pertains to companies with gross revenues of $25+ million, who buy or sell personal data from 50,000+ California residents, or make more than 50% of their gross revenue from selling Californian consumer data.
What are the keys to handling and implementing changes?
For companies who are impacted, several steps can be taken to facilitate compliance with the CPDA, CCPA, and other data privacy laws on the horizon.
- Prepare your data architecture to handle access, correction, and deletion.
- Create a process to ensure data updates are made.
- Be transparent with customers as to how you plan to use their data.
For more details on handling and implementing changes, please refer to Jeffrey Rudolf of Response Labs’ guest article for the Baltimore Chapter of the American Marketing Association entitled “Understanding the California Consumer Privacy Act (CCPA)”.
