Virginia’s Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam, and will come into effect on Jan 1, 2023. It’s already being compared with Europe’s GDPR and California’s CCPA, but trying to establish whether it is more lenient or more stringent than those attempts to protect consumer data is almost beside the point. It’s a singular piece of legislation with its own quirks and confusions. For one thing, it gives consumers no right of private action — only the state’s Attorney General will be able to bring lawsuits under the provisions of the Act. For another, it withholds its protection from individuals “acting in a commercial or employment context.” That appears to mean that your data is not protected if you are browsing for work purposes; or from the marketer’s perspective, B2C marketing efforts need to be in compliance with CDPA; B2B campaigns, perhaps not. Perhaps strangest of all, while Virginia consumers are entitled to opt out of having their personal data processed for the purpose of targeted advertising, the following is not considered targeted advertising: “Advertisements based on the context of a consumer’s current search query, visit to a website, or online application.” It’s early days for making sense of this legislation, and figuring out how brands marketing to Virginians should comply in practice. Read more here. |