CDPA, CCPA, And The Letter Of The Law

Virginia’s CDPA and California’s CCPA look alike, both in their names and their overall terms. However, companies must understand where they differ in order to remain compliant and to prepare for other states’ laws.

CDPA and CCPA: Siblings but not Twins

On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) became law, taking effect at the start of 2023. The second comprehensive consumer privacy law in the US, the CDPA leads a nationwide wave of state-level privacy bills. In general, the act draws heavily on the language of the California Consumer Privacy Act (CCPA). Despite similarities in their legal provisions and their acronyms, they have key distinctions in scope and enforcement.

Understanding the differences between the CDPA and CCPA – and how to build systems to comply with both – is in itself essential to compliance ops. However, there is also a broader benefit to teams. Preparing for the CDPA is a essential step in being ready for other state-level privacy laws that might follow the CDPA.

If the CDPA is any indication, comprehensive consumer privacy bills have a lot of forward momentum in 2021. Virginia’s General Assembly passed the CDPA with over 80% of the vote in each house. This proactive mindset will be vital for teams adapting to new state privacy laws, be they in Virginia or the growing number of other states advancing legislation.

As our CEO Cillian mentioned last week in AdExchanger, compliance with one regulation does not automatically make a business compliant with another.

Here, we break down the main differences between the CDPA and the CCPA. Along the way, we will share some pointers on how to bring policy requirements into the operations of your data systems.

Applicability

The CCPA considers gross revenue as one basis for a business to comply. Businesses with over $25 million in annual gross revenue are subject to the CCPA.

The CDPA’s scope depends on how much personal data flows through a company. The CDPA applies if a business controls or processes at least 100,000 consumers’ personal data. Alternatively, the regulation applies if a business controls or processes more than 25,000 consumers’ personal data and generates over half of its gross revenue from selling personal data.

The upshot is this: teams should know the high-level measures of their user-base and budget to determine whether they must comply with the CDPA.

Enforcement

The CCPA supplies Californians with a private right of action for certain instances of non-compliance. In plain terms, individual Californians can file a lawsuit against a non-compliant business in predefined cases. However, the CDPA does not grant such a right. Thus, the Attorney General holds exclusive authority to enforce the CDPA’s provisions.

This distinction does not in itself change how teams should manage their data systems.

Right to Correction

The CDPA differs from the CCPA in giving users the right to correct inaccurate pieces of data that a business holds on them. To make sure your team is ready to process users’ correction requests, it is crucial to know where all of the personal data resides in your systems. Beyond inventorying and accessing users’ personal data, you must be able to efficiently edit the contents of databases.

As with a request to delete data, a correction request requires you to be mindful of any downstream effects. For instance, if you correct a user’s email address in your in-house data stores, are there any in-house or third-party applications that also depend on this information? If so, do they automatically update? To keep on top of regulations – both present and emerging – an efficient process for implementing database corrections, most commonly called “right to edit,” will serve teams well in the era of CDPA enforcement.

Opt-Out Rights

The CCPA grants users the right to opt out of businesses selling their personal data. The CDPA builds on this to also include targeted advertising and user profiling.

Companies should be ready to give a high-level explanation to consumers about automated decision-making processes that are involved in user profiling. On an implementation level, companies should build out their consent management systems to include this widened scope of activity.

Data Protection Assessments

Following GDPR’s lead, the CDPA calls for businesses to conduct evaluations of data processing, termed data protection assessments. Such assessments measure the benefits and risks to the business, users, and other stakeholders. They must accompany activities including, but not limited to:

• Targeted advertising
• Selling personal data
• Profiling users

This represents a significant build for a company that had worked to get compliant with CCPA. Even in Europe, doing impact assessments accurately and consistently signifies a high-level of business-wide privacy literacy and buy-in. You can read more about what goes into an impact assessment here on Ethyca.

The CCPA does not require such assessments.

To operationalize impact assessments, a comprehensive data inventory is again critical. Beyond knowing what data you collect and process, you should document why and how you process it. Maintaining consistent documentation, or – better yet – generating these reports automatically, is key to CDPA compliance.

A Tale of Two Privacy Regulations (and Counting)

Companies should expect the CDPA to be the first in a queue of state-level privacy regulations in 2021. The patchwork nature of these laws is sure to be frustrating, and positively daunting for teams thinking about privacy for the first time. But don’t despair! Getting the privacy basics right will ultimately lead to lots of state-by-state efficiencies.

The CDPA’s effective date of January 1, 2023, will approach quickly. CCPA compliance can bring a team close to CDPA compliance, but not quite over the finish line. To get there, turn attention to “Right to edit,” expansion of consent preferences, and basic impact assessment training. You’ll then be ready for the CDPA, and even more importantly, you’ll have laid the groundwork for the respectful treatment of your users’ data, no matter their state of residence.