Mark your calendars for January 1, 2023. That’s when Virginia’s Consumer Data Protection Act (CDPA) will go into effect, now that Virginia Governor Ralph Northam has signed the bill into law.
Last month, both houses of the Virginia state legislature passed the CDPA — comprehensive data-privacy legislation that will create restrictions on how non-exempt businesses operating in, or targeting consumers in Virginia can handle Virginians’ personal data.
These restrictions include:
- That they comply with certain, authenticated requests from Virginia consumers to account for, modify, and/or delete the consumer’s personal data;
- That they allow Virginia consumers to opt out of the processing of personal data for certain purposes (and, further, that certain sensitive data not be processed without an unambiguous opt in);
- That they conduct data-protection assessments of those processing activities (as well as other processing activities of personal data “that present a heightened risk of harm to consumers”);
- That they have and publish particularized privacy notices and disclosures (and abide by them); and
- That they and their data processors include certain clauses in their agreements.
A few additional requirements are placed on data processors — mostly involving consumer requests, data-protection assessments, security, and breach notifications.
The full text of the bill is here.
CDPA comes more than two and a half years after California passed the first major data-privacy act in the US, the California Consumer Privacy Act (CCPA), and some pundits have likened the two laws. Others, meanwhile, posit that CDPA more closely resembles the EU’s far stricter General Data Protection Regulation (GDPR).
But CDPA has its own unique identity. And while it represents plenty of limitations on B2C targeting, there are plenty of exceptions to those limits.
Consumer rights under CDPA
In general, CDPA will grant Virginia consumers these rights:
- To confirm if a data controller is processing their personal data or not;
- To access, correct, and even delete their personal such as a data controller may hold;
- To get a copy of their data to the extent they’d previously provided their data to the data controller; and (here comes the big one, so pay attention)
- To opt out of having their personal data processed for the purposes of targeted advertising, the sale of that data, or personal profiling where that profiling can have significant effects on the consumer (e.g., healthcare, finances, education enrollment, employment opportunities, legal implications, housing, access to basic necessities).
One right Virginia consumers won’t have under CDPA: A private right of action. Only the Virginia Attorney General will be able to bring a lawsuit based on the provisions of CDPA. CDPA liability will cap at $7,500 per violation plus costs and attorneys’ fees.
To best understand these rights, we have to understand who a consumer is under CDPA.
CDPA defines a consumer as a natural person who is a Virginia resident provided that they are “acting only in an individual or household context.” (Compare California’s CCPA, which does not have any such “individual or household context” limitation on its definition of “consumer”.) For extra clarity, CDPA goes on to specifically explicate that it extends zero protections to people when they are “acting in a commercial or employment context.”
One notable upshot of this: While CDPA may impact your B2C campaigns, it appears okay to still target the heck out of a Virginian in the B2B or B2G (business to government) context, to the extent the targeting has to do with their role at their job (and is otherwise lawful). You just may have to back off the targeted advertising when that Virginian logs off of their work account for the evening and spends time with their family (and phone) on the couch.
But what is “targeted advertising”?
“Targeted advertising” under CDPA
A data controller is engaging in “targeted advertising” under CDPA if it is:
- Collecting a Virginian consumer’s personal data;
- From their “activities over time” and from third-party websites or apps it doesn’t control;
- For the purpose of predicting their “preferences or interests”; and
- Then showing them advertisements based on that personal data of theirs that it so collected.
That may seem like a great deal of what digital marketing is, but there appear to be tons of outs for digital advertisers. CDPA is careful to specifically exclude a few items from its definition of “targeted advertising” — including ads delivered based on specific and unambiguous opt-ins by consumers, ads delivered based on activities on the data controller’s own website(s) and/or app(s), and the act of processing personal data strictly for the sake of measuring and reporting.
But here’s the most spectacular exclusion from that definition: “Advertisements based on the context of a consumer’s current search query, visit to a website, or online application…”
To offer some examples thereby: It seems that PPC campaigns are going to be just fine — because PPC ads are based on a “current search query”. The same goes for a data controller categorizing people clicking through to its website merely by virtue of where they came from or why/how they arrived there (and nothing else) — because that would seem to be based on “the context of a … visit to a website [or app]”.
Of course, what marketers do afterwards with additional data collection and data linkage may veer into “targeted advertising” territory. If so, then consumer opt-outs may follow.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney authorized to practice in your jurisdiction.)
This story first appeared on MarTech Today.