Article: Privacy Regulations
Summary
The privacy legislation landscape is evolving rapidly. This article represents a communication to customers to explain the then-upcoming regulations in California and Virgina, and includes an outline of the company's response and a brief overview of the effort required to remain compliant.
Overview
On January 1, 2023, Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) will both go into effect.
California's CPRA is an amendment to the CCPA, or California Consumer Privacy Act, passed in 2020, and is set to expand consumers’ privacy protections that were already established with the previous law. Virginia's CDPA borrows heavily from the original California Consumer Privacy Act - before the CPRA amendments were voted in.
Importantly, both of these laws extend consumer rights over how companies process their data, and in doing so, create new requirements for business compliance.
- CPRA (California) enforces a user’s right to opt out of sensitive data processing.
- CDPA (Virginia) enforces a user’s right to opt in to sensitive data processing.
- CPRA and CDPA have different definitions of what constitutes sensitive data, as well as the type of business processes that require management.
Opt-out requirements
The specific opt-out requirements for each regulation are as follows:
| Opt-Out Required | Definition | CPRA | CPDA |
|---|---|---|---|
| Targeted Ads | Advertising that uses personal data to personalize the content or location of the ad. | NO | YES |
| “Sale” of personal information/data | Under CPRA, a sale relates to the sharing of information for monetary exchange, or an exchange of value. Under CDPA, a sale is exclusively for money. |
YES | YES |
| Profiling | Under CDPA, profiling refers to automated decision-making about a user. | NO | YES |
Consent requirements
The specific consent requirements for each regulation are as follows:
| Treatment of Sensitive Information | Description | CPRA | CPDA |
|---|---|---|---|
| Opt-out Consent | Explicit opt-out. Data may be used if the user does not opt-out. | YES | NO |
| Opt-in Consent | Explicit opt-in. Data may only be used after the user has given informed and explicit consent. | NO | YES |
Response
In order to continue to enable your team to comprehensively implement users' consent preferences, Ethyca will be making a series of updates to the Consent Management experience to ensure you stay in compliance. These updates allow you to classify your collected data under multiple data categories, and enable users to opt in or out of data usages on your Consent Management page.
Consent preference updates will now be stored for reporting and auditing purposes, and the latest preference will be reflected in a browser cookie. This will be available to you to start using January 1, 2023.
Support in Ethyca Pro
To ensure compliance with both CPRA and CPDA, Ethyca will provide enhancements to the current Consent Management experience:
- Grouping systems into the categories of data they process (e.g. data, personal data, sensitive personal data) for necessary geographic regions (e.g. Virginia, California)
- The ability to set the end-user action for each data category as opt-in or opt-out
- Allowing subjects to opt in or out of configured data categories based on their geographic location
- Storing end-user consent preferences in a browser cookie to toggle browser-side data flows
- Recording consent preference changes for reporting, auditing, and management
Level of effort
If your team has a privacy officer or engineer already comfortable working with Ethyca’s current Control Panel and Consent Management experience, the additional privacy settings are configurable in a matter of minutes.