Virginia’s CDPA and California’s CCPA look alike, both in their names and their overall terms. However, companies must understand where they differ in order to remain compliant and to prepare for other states’ laws.
Virginia’s CDPA and California’s CCPA look alike, both in their names and their overall terms. However, companies must understand where they differ in order to remain compliant and to prepare for other states’ laws.
On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) became law, taking effect at the start of 2023. The second comprehensive consumer privacy law in the US, the CDPA leads a nationwide wave of state-level privacy bills. In general, the act draws heavily on the language of the California Consumer Privacy Act (CCPA). Despite similarities in their legal provisions and their acronyms, they have key distinctions in scope and enforcement.
Understanding the differences between the CDPA and CCPA – and how to build systems to comply with both – is in itself essential to compliance ops. However, there is also a broader benefit to teams. Preparing for the CDPA is a essential step in being ready for other state-level privacy laws that might follow the CDPA.
If the CDPA is any indication, comprehensive consumer privacy bills have a lot of forward momentum in 2021. Virginia’s General Assembly passed the CDPA with over 80% of the vote in each house. This proactive mindset will be vital for teams adapting to new state privacy laws, be they in Virginia or the growing number of other states advancing legislation.
As our CEO Cillian mentioned last week in AdExchanger, compliance with one regulation does not automatically make a business compliant with another.
Here, we break down the main differences between the CDPA and the CCPA. Along the way, we will share some pointers on how to bring policy requirements into the operations of your data systems.
The CCPA considers gross revenue as one basis for a business to comply. Businesses with over $25 million in annual gross revenue are subject to the CCPA.
The CDPA’s scope depends on how much personal data flows through a company. The CDPA applies if a business controls or processes at least 100,000 consumers’ personal data. Alternatively, the regulation applies if a business controls or processes more than 25,000 consumers’ personal data and generates over half of its gross revenue from selling personal data.
The upshot is this: teams should know the high-level measures of their user-base and budget to determine whether they must comply with the CDPA.
The CCPA supplies Californians with a private right of action for certain instances of non-compliance. In plain terms, individual Californians can file a lawsuit against a non-compliant business in predefined cases. However, the CDPA does not grant such a right. Thus, the Attorney General holds exclusive authority to enforce the CDPA’s provisions.
This distinction does not in itself change how teams should manage their data systems.
The CDPA differs from the CCPA in giving users the right to correct inaccurate pieces of data that a business holds on them. To make sure your team is ready to process users’ correction requests, it is crucial to know where all of the personal data resides in your systems. Beyond inventorying and accessing users’ personal data, you must be able to efficiently edit the contents of databases.
As with a request to delete data, a correction request requires you to be mindful of any downstream effects. For instance, if you correct a user’s email address in your in-house data stores, are there any in-house or third-party applications that also depend on this information? If so, do they automatically update? To keep on top of regulations – both present and emerging – an efficient process for implementing database corrections, most commonly called “right to edit,” will serve teams well in the era of CDPA enforcement.
The CCPA grants users the right to opt out of businesses selling their personal data. The CDPA builds on this to also include targeted advertising and user profiling.
Companies should be ready to give a high-level explanation to consumers about automated decision-making processes that are involved in user profiling. On an implementation level, companies should build out their consent management systems to include this widened scope of activity.
Following GDPR’s lead, the CDPA calls for businesses to conduct evaluations of data processing, termed data protection assessments. Such assessments measure the benefits and risks to the business, users, and other stakeholders. They must accompany activities including, but not limited to:
This represents a significant build for a company that had worked to get compliant with CCPA. Even in Europe, doing impact assessments accurately and consistently signifies a high-level of business-wide privacy literacy and buy-in. You can read more about what goes into an impact assessment here on Ethyca.
The CCPA does not require such assessments.
To operationalize impact assessments, a comprehensive data inventory is again critical. Beyond knowing what data you collect and process, you should document why and how you process it. Maintaining consistent documentation, or – better yet – generating these reports automatically, is key to CDPA compliance.
Companies should expect the CDPA to be the first in a queue of state-level privacy regulations in 2021. The patchwork nature of these laws is sure to be frustrating, and positively daunting for teams thinking about privacy for the first time. But don’t despair! Getting the privacy basics right will ultimately lead to lots of state-by-state efficiencies.
The CDPA’s effective date of January 1, 2023, will approach quickly. CCPA compliance can bring a team close to CDPA compliance, but not quite over the finish line. To get there, turn attention to “Right to edit,” expansion of consent preferences, and basic impact assessment training. You’ll then be ready for the CDPA, and even more importantly, you’ll have laid the groundwork for the respectful treatment of your users’ data, no matter their state of residence.
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Get a Demo