Significant changes in the data privacy and security laws in the US have taken place in the beginning of this year. The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) became fully effective on January 1, 2023. Learn all about the new policies and key updates in this article.
California Privacy Rights Act (CPRA)
The CPRA amended and expanded the California Consumer Privacy Act (CCPA) in 2020 but has only come into effect in 2023. It introduced stricter regulations on the use of personal information and established the California Privacy Protection Agency (CCPA) for data privacy enforcement.
- Compliance date: January 1, 2023
- Enforcement date: July 1, 2023
- Lookback period: 12 months
Beginning January 1, 2023, businesses subject to compliance to the CCPA must also follow all the changes/new rules stipulated in the CPRA. However, enforcement will only apply to violations occurring on or after July 1, 2023.
The lookback period means that parties given rights by the CPRA can request information collected 12 months prior to the law becoming effective (i.e., starting from January 1, 2022) to be changed or deleted.
CPRA Sensitive Personal Information Category
- Users can now prescribe how businesses can use their sensitive personal information.
- Sensitive personal information refers to government identifiers; login information, precise geolocation information; racial or ethnic origin; content of email, text messages; genetic data; and biometric information.
- Precise geolocation information is defined as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of one thousand, eight hundred and fifty (1,850) feet, except as prescribed by regulations.”
- A hyperlink/button that reads “Do Not Sell My Personal Information” must be posted on the homepage and other pages collecting data, linking to a page that informs users of their rights and facilitates opt-out requests.
- A hyperlink/button that reads “Limit The Use Of My Sensitive Personal Information” must be posted on the homepage and other pages collecting data, linking to a page that allows consumers or their representative/s to “limit the use or disclosure of the consumer’s sensitive personal information to those uses authorized” by the CPRA.
New consumer rights under the CPRA
According to the CPRA, consumers now have the following rights:
- Request to have their personal information (PI) and sensitive personal information (SPI) corrected.
- Opt out of having their PI and SPI used for making automated inferences, which are typically used for such purposes as profiling and behavioral targeting.
- Request information on how automated decision-making works and what their possible outcomes are.
- Restrict the use of their SPI, relating to third-party sharing.
Modified consumer rights under the CPRA
Some consumer rights have been modified under the CPRA, including the following:
- In the event of a PI deletion request, businesses also have to notify third parties and have them delete the same.
- Consumers can now request access to personal information collected beyond the 12-month limit in the CCPA.
- In addition to the right to opt out of having their personal information sold, consumers can also opt out of having their information shared with other businesses and sold specifically for behavioral targeting (targeted advertising).
- Consumers now have the right to data portability—they can request to have their personal information transmitted to another company or organization.
- The opt-in requirement for businesses dealing with minors is extended to include an explicit consent: “a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.”
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA was signed into law in March 2021 but only went into effect on January 1, 2023, establishing “a framework for controlling and processing personal data in the Commonwealth.”
- Compliance date: January 1, 2023
- Fine for non-compliance: Up to $7,500
The law is enforced by the Attorney General and applies to websites and companies that conduct business in Virginia or offer services/products targeting Virginia residents and either “control or process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.”
Key information about the VCDPA
- Personal data (PD) is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person.
- Sensitive data (SD) is defined as information about race, ethnicity, sexual orientation, religious beliefs, mental or physical health, citizenship or immigration status, biometric data, or geolocation.
- Prior consent from users are required when (1) processing any sensitive data and (2) processing, collecting, and selling children’s data.
- A “reasonably accessible, clear, and meaningful” privacy notice must be provided to consumers, including information on the following:
- categories of PD that the website processes,
- purpose for processing data,
- categories of PD shared with third parties, and categories of such parties, and
- how users can exercise their rights under the VCDPA.
- Processing of personal data for purposes other than those disclosed in the privacy notice is prohibited, unless user content is subsequently obtained.
Consumer rights under the VCDPA
According to VCDPA, consumers have rights to do the following:
- Access PD that has been collected
- Have inaccurate or incomplete PD corrected
- Have collected PD deleted
- Opt out of PD processing for data profiling, targeted advertising, or automated decision-making
- Opt out of getting their PD sold
- Have collected PD downloadable (data portability)
CPRA and VCDPA in a nutshell
CPRA and VCDPA both came into effect on January 1, 2023. They are meant to protect the personal data of consumers, outline the responsibilities of data controllers and processors, and grant rights to consumers related to the use and processing of their personal data.
Data privacy is a serious topic and compliance with data protection laws is a must for all eCommerce companies. If you need assistance navigating the data privacy and security laws in effect in 2023—GDPR, CCPA, CPRA, VCDPA, and others—scandiweb can help. For legal consultation, send us an email at [email protected].
Convert More Customers: First-party data marketing for eCommerce
Google One Tap Sign-in Implementation (First-party data collection)
The Omnibus Directive: New eCommerce Policy in the EU
European eCommerce Trends