top of page
Writer's pictureVishal Lakhani

CPRA and VCDPA: Guide to Compliance in 2023

Updated: May 11, 2023


CPRA and VCDPA: Guide to Compliance in 2023

The California Privacy Rights Act (CPRA) is an addendum to the previous data privacy law passed for the state of California, CCPA.

Even though CPRA came into effect on January 1, 2023, the state has planned to fully enforce it by July 1, 2023. CPRA California was proposed as a ballot Proposition 24 in the US General Election 2020 by the citizens of California.

Businesses can expect California Privacy Rights Act (CPRA) to be stringent as the EU's GDPR because these acts will strengthen the rights of California residents, harden business regulations on the use of personal information (PI), and establish California Privacy Protection Agency (CPPA), a new government agency for state-wide data privacy enforcement among significant changes to the Golden State's data privacy regime.


CPRA: key benefits for Californians

A quick breakdown of the California Privacy Rights Act (CPRA) –

  • California Privacy Protection Agency (CPPA) will be established by CPRA as a lead enforcer of the CCPA data privacy regime.

  • The definition of a business under CPRA excludes smaller businesses and includes large businesses that generate huge revenue from data collection, selling, and/or sharing of personal information of Californians.

  • CPRA empowers Californians with four new rights and five modified rights.

  • CPRA constructs a new category, sensitive personal information (SPI), that will be regulated strongly and separately from personal information (PI).

  • To regulate cross-contextual behavioral advertising and its use of personal information, CPRA changes the opt-out right.

  • The business will be responsible for how third parties use, share or sell personal information that they have collected in the first place under CPRA.

  • CPRA adds GDPR-like provisions to the CCPA.

  • CPRA expands the requirement for consent to cover more scenarios.


CPRA Compliance: Key tips for business

Even though businesses invested heavily to comply with privacy protocols and notices to meet on January 1, 2023, California lawmakers still need to be done with them.

California Privacy Rights Act or CPRA is an extension to enforce CCPA by July 1, 2023. Let me make it easy by listing down fundamental changes that CPRA will implement.

CPRA Compliance: 2 Key Rules

Rule 1: This aspect of CPRA will primarily deal with law–including required notices, consent, and responding to DSARs.

Rule 2 includes automated decision-making, risk assessments, and cybersecurity audits.

What should a business expect:

  1. Be aware of your businesses' data collection and data processing systems. You must be clear with the flow of data within your organization. Also, review risk assessments by conducting regular audits, as these amendments will be enforced heavily.

  2. Be aware of the enforcement activities undertaken by respective agencies (i.e., CPRA or VCDPA). Understand how the new and complex requirements are being interpreted.

  3. Make your business "Global" compliance. Try to meet the common needs among other US privacy laws like CPRA, VCDPA, CPA, etc. And look for a differentiator among these laws, which is crucial for your business. For example–the unique and prescriptive website link requirements under CPRAA are not required in VCDPA.


CPRA and VCDPA: The Next Step

CPRA (California Privacy Rights Act)

California Consumer Privacy Act (CCPA) is the first digital consumer data privacy legislation signed as law on June 28, 2018, by then-Californian Governor Jerry Brown.

CCPA came into effect on January 1, 2020. CPRA is an amendment and an extension of CCPA, which has been effective from January 1, 2023, and is to be fully enforced from July 1, 2023.


The CCPA applies to for-profit-businesses that process the personal information of more than 100,000 Californians annually (As per the latest CPRA), or with annual revenue exceeding $25 million, or derive at least 50% of its annual revenue by selling personal data of Californians, regardless of the businesses' location around the world.

As per CCPA, the Sale of Personal Information is defined as:


"Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." (1798.140.t1).


Any company that shares a common branding, such as a trademark, service mark, or a shared name, with a business liable under the CCPA will also be subjected to CCPA compliance.


CCPA allows Californians to access, change, or delete data if necessary. They also have the right to opt out or withdraw their consent to having their data sold to third parties.

Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages.


VCDPA (Virginia Consumer Data Privacy Act)

VCDPA was first signed into law on March 2, 2021, by Virginia Gov. Ralph Northam, making it the second data privacy legislation in the US after CCPA. This law has been effective from January 1, 2023. VCDPA has yet to make any extensive amendments.

So like CCPA, Virginia Consumer Data Protection Act (VCDPA) applies to for-profit-businesses that either:


1.Control or process the personal data of at least 100,000 Virginia residents or

2.Controls or processes the personal data of at least 25,000 Virginia residents and derives at least 50% of their annual revenue from the sale of personal data.

VCDPA gives citizens of Virginia the right to access, change or withdraw their data from businesses at their request. Suppose a company earns revenue by sharing or selling personal data of Virginia's residents for target advertising or other marketing purposes. In that case, they are obliged to conduct periodic data protection assessments.

Failure to comply with the VCDPA can result in fines for businesses of $7,500 per violation with a 30-day cure period to respond by communicating with the attorney general's office.


CPRA and VCDPA: Do you really need it?

"The people, when rightly and fully trusted, will return the trust."

Trust is the most significant factor in any long-term relationship. Whether it's a personal relationship or a business one, it goes a long way when two individuals have faith in each other. But this trust was broken.


Facebook, Google, Microsoft, and many other companies have been responsible for insufficient data protection assessment audits, resulting in severe data breaches. And some of them violated data privacy laws. The latest example is Meta, which tried to bypass the most stringent data privacy law to date, the GDPR.

And when companies like Google and Facebook came under public fire, the US government and businesses had to think of something to regain public trust. So, rather than making a national privacy law, state governments were tasked with enforcing data privacy laws and making businesses accountable for what they do with citizens' personal information.


CCPA was the first data privacy law in the US, followed by VCDPA. The lawmakers left no doubt that personal data was strictly consumer's property. And companies must ask for consent and be transparent enough to tell the consumer what personal data is collected, how it is processed, and if it is shared or sold with other third-party companies.


The content of the personal information or PI includes:

  • Legal names

  • Age and date of birth

  • Postal addresses

  • Education information

  • Driver's license and passport

  • Credit and debit card numbers

  • Social security numbers

  • Demographic information

  • Income and financial data

  • Political and religious affiliation

  • Browsing and searching history

  • Unique online account names

  • Geolocation and biometric data

  • Any other uniquely identifiable information.

Privacy laws: a Boon for Businesses!

The world has indeed shrunk. Technology has made it extremely easy to provide us with the latest things happening worldwide in seconds. A place with so much virality can either make or break businesses.


Today's generation, especially Millennials and GenZ, are vocal about their likes and dislikes. They crave Authenticity and look to build a long-term relationship. But there need to be more businesses who can provide that.


Mckinsey recently published an article that gives a glimpse into how Millennials and GenZ are shaping the future of retail in the United States. Even Forbes agrees that Authenticity has become a critical factor in marketing your products and services.

So as a Marketer or a business owner looking to retain your customers longer and build a brand they love, you need to be authentic. And complying with the data privacy law is the best way to build trust and show transparency across all your business operations. When people realize that you, as a business, respect their privacy, they couldn't be happier to do business with you.

CPRA and VCDPA: Key Provisions to Comply

These two laws grant consumers certain rights that businesses must oblige to. They are:

  • Right to access the collected personal data

  • Right to withdraw or delete personal data

  • Right to change or correct inaccurate personal data

  • Right to transfer personal data securely by business

  • Right to portability of data, i.e., portable access of data collected by the company

  • Right to withdraw or opt out of the processing of personal data for advertising purposes

  • Right to withdraw or opt out of the sale of personal data

  • Right to withdraw or opt out of the recording of personal data

  • Right to non-discrimination against exercising of any foregoing rights.


Apart from this, these two data privacy laws make it mandatory for businesses to define their Business Purpose clearly by:

  • Conducting audits and verifications related to transactions

  • Detection of data security incidents, fraud prevention, or unlawful activities

  • Debugging to recognize and repair errors

  • Performing services on behalf of the business or service provider

California law requires companies to include a form (Section 1798.135) on their websites asking consumers to opt in or out of data sharing. Any business collecting or processing personal data without the user's consent can be legally sued by the data subject to whom the personal data belongs.


6 Steps towards CPRA and VCDPA Compliance

US lawmakers have done their best to ensure that their data privacy laws, CPRA and VCDPA, provide tough competition to GDPR, the world's most rigid data privacy law.

Like GPDR, US privacy laws CPRA and VCDPA ask businesses to operate on the basic principles of data privacy:

  • Transparency

  • Security

  • Consent

They require companies and organizations to adhere to their duties and protocols when collecting and processing personal data from consumers.


Making it simple, CPRA and VCDPA ask companies and organizations to tell customers what personal data is, how it is collected and processed, and with whom that personal data is shared or sold. In addition, they want businesses to manage and assess how personal information is stored and protected and audit the security measures thoroughly, mitigating any chances of data breaches and abuse.


Now let's look at how you can make your business profitable by complying with CCPA and VCDPA:


Step 1

Designate an individual or a team member in charge of data privacy and security. This person can be either a chief data officer, chief privacy officer, or data privacy officer.


Step 2

Create a Data Map to keep assessments of how data flows across your business channels and have an auditable record of all the data with Data Inventory. Those of you who have this process with EU residents must have a fairly good idea of where their California data is.


Step 3

Assess the risk of your identified data flow in the inventory and measure data practice against legal metrics. Do you know how many businesses still need to learn the type of data they own, its scope, and where it is located? A ton.


If you understand your data and have a good insight, it will be easier to know what and how this can impact your business operations in the context of CPRA and VCDPA.


Step 4

Beef up your cybersecurity game for extremely sensitive information about healthcare, financial, or children's records.


You must know what data types you have, who is responsible for processing that data, and which data has the highest priority. This would help you to fortify your data security measures.


While it costs a lot to implement a new security and privacy platform, if you are found guilty of not making reasonable efforts for your data security and if there's a breach, then fines and penalties along with reputational damage might cost you more.


Step 5

If your business has a tie with third-party companies to collect, process, store, or transmit personal data, then you need to audit and update those contracts to comply with CPRA. Having a piece of sound advice from a partner with excellent experience in CPRA compliance can help you immensely.


They can guide you to insert standard contractual language into your partnership agreements with minimal legal jargon. Under CPRA and VCDPA compliance, you are required to mention in all your contracts with third parties regarding their function and roles, such as:


a. What data will be collected?

b. How will it be processed?

c. How will your service provider comply with you during DSARs?


Step 6

Under CPRA and VCDPA compliance, the business owner must ensure that all involved in handling consumer data, especially those who process DSARs, must undergo training regarding data security and data risk management.

The training must be conducted to match respective data privacy laws like live virtual or on-site classroom sessions and standardized courses with materials and testing. Though, as per CPRA and VCDPA, the training method is not specified, it is recommended to be revised annually at a minimum.


Non-compliance: Isn’t an Option anymore!

CPRA and VCDPA's approaches to fines and penalties for non-compliance are similar and hefty.


If your business is non-compliant with these laws, you can be fined up to $7500 per violation plus legal fees. Only under CPRA can consumers sue you for damages between $100 and $750 per violation–or any higher amount related to actual harm.


These fines and penalties are to be borne by the data controller (the business owner) and not the processor (the service provider working on behalf of the controller).

The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA and fines of up to $7,500 for companies that commit intentional breaches.


But there is one cost that businesses often neglect but causes much more damage than fines and penalties.


Risk of Reputational damage

In today's world, where news spreads like wildfire, competitors wouldn't leave a chance for anything to shatter your business image because you didn't comply.

The financial cost can be recovered, but once your reputation is damaged, there is no return.


Customers want to know if they can trust you or not. They don't want to be treated like any other product. They want empathy. Today's generation wants a more profound connection that most businesses don't provide.

Get privacy compliant and make trust your priority. Shouldn't you be serious about this?


Consent Management Platform: The Right Way

A Consent Management Platform (CMP) like Adzapier's helps you achieve compliance with the world's major privacy laws like the EU's GDPR, the US's CCPA, VCDPA, and Brazil's LGPD–in a matter of clicks.


Built with a cookie scanner that tracks and blocks third-party cookies with Auto-Cookie blocker, Adzapier's CMP helps you build transparency with users without hurting their privacy.


It comes with a customized cookie banner that tells your brand story and helps you get insight to increase more opt-in consents from the users through personalization.

There’s more! It also provides you with a centralized dashboard keeping track of all the data collected with their respective data subjects, helping you to comply with DSARs smoothly. We also have session recording, which lawfully tracks user consent and engagements with your website to prove compliance whenever data audits or legal matters knock on your door.


Don't believe us? Why don't you try it yourself with a 14-day free trial. Contact one of our privacy experts today to schedule a demo and see just how easy it is to get your business in compliance.


FAQs

What is the difference between CCPA and CPRA?

California Consumer Privacy Act (CCPA) is the US's first data privacy law, whereas the California Privacy Rights Act is Proposition 24, which amends and enforces CCPA in the state of California.


What is a key way the CPRA impacts the CCPA?

The CPRA amendment to CCPA intensified Californians' privacy right and established the California Privacy Protection Agency (CPPA), which is responsible for CCPA enforcement, inspects consent in specific use cases, and provides more transparency in both notices and at the point of collection.


When does the California Privacy Rights Act (CPRA) go into effect?

The California Privacy Rights Act (CPRA) was enacted on January 1, 2023, and will be fully enforced on July 1, 2023. We have listed key consequences that CPRA will have on your business which will specifically affect your Data collection and Data security strategies.


How do I become CPRA compliant?

Step 1: Designate an individual or a team member in charge of data privacy and security.

Step2: Create a Data Map to keep assessments of how data flows across your business channels

Step 3: Assess the risk of your identified data flow in the inventory and measure data practice against legal metrics

Step 4: Beef up your cybersecurity game for extremely sensitive information about healthcare, financial, or children's records.

Step 5: Audit and third-party update contracts to comply with CPRA.

Will the VCDPA apply to my organization?

Yes, if you are a for-profit organization that controls or processes the personal data of Virginia residents on a larger scale, then VCDPA will apply.


How will the VCDPA affect my company?

The VCDPA grants consumers the right to access, change or withdraw/delete their personal data by requesting business if needed. It also makes it mandatory for companies to conduct data protection assessments related to personal processing data for targeted advertising and sales purposes.

bottom of page