Marketing is an increasingly data-driven practice. Knowing who your customers are, how they use the internet and what messages resonate is all part of an efficient and effective marketing strategy. While user data may make our jobs easier, not every person is going to be chill about having their online information collected, stored and used – and that’s when governments get involved.
Using General Data Protection Regulation (GDPR), the landmark law that regulated data protection and privacy in the EU and European Economic Area, as a guide, the push for more transparency over the collection of and control over consumer personal information (PI) has gained momentum in the U.S..
While there are currently no comprehensive federal regulations in regard to data privacy, there are a number of state-level regulations that have been enacted and/or will be going into effect at the start of 2023, including Virginia Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA), an amendment to 2020’s California Consumer Protection Act (CCPA). Other state-level laws will go into effect in mid-2023, including Connecticut Data Privacy Act (CTDPA), Colorado Privacy Act (CPA) and Utah Consumer Privacy Act (UCPA).
Even if your business is not located in one of these states, it may still fall under one or all of these regulations – especially if you offer products or services within these states – and failure to comply may result in fines or legal action on behalf of affected consumers.
That’s why understanding these laws, determining whether they apply to your business, and ensuring your website meets compliance requirements is so important.
So let’s take a look at the laws that will go into effect Jan. 1 in California and Virginia and how they’ll affect your website.
California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA)
What is the law? This ballot measure was written into law to amend and expand protections extended under the Consumer Protection Act (CCPA), which was enacted in 2020, and added provisions to establish the California Privacy Protection Agency. This law also extends to the collection of employee personal information.
Who does it apply to? For-profit companies that collect PI from California residents, and meet any of the following criteria:
- $25M+ in gross annual revenue
- Buys, sells or shares personal information of 100,000+ more California residents or households
- Derives 50% or more of annual revenue from selling or sharing California personal information
When does it go into effect? California CCPA has been in effect since Jan. 1, 2020, but CPRA provisions kick in Jan. 1, 2023.
Virginia Consumer Data Protection Act (CDPA)
What is the law? Using existing legislation as a framework, this law was passed in 2021, ahead of a ballot measure. Unlike California’s data privacy laws, it does not include revenue thresholds or cover the exchange of employee personal information. Additionally, this law limits the definition of “sale of personal information” to “the exchange of personal data for monetary consideration by the controller to a third party.”
Who does it apply to? For-profit companies that operate in or offer products/services targeted to residents of Virginia, and meet either of the following criteria:
- Controls or processes data of 100,000+ consumers, or
- Controls or processes data of 25,000+ consumers and derive of its revenue from the sale of personal data
CDPA also lists entity- and data-level exemptions to which businesses it applies to, including:
- Virginia Government – Bodies, authorities, boards, bureaus, commissions, districts, or agencies/political subdivisions
- Financial institution or data subject to the Gramm-Leach-Bliley Act
- Entities or businesses subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HIPAA regulations)
- Nonprofit organizations
- Higher education institutions
When does it go into effect? Virginia CDPA goes into effect Jan. 1, 2023.
How Do These Laws Affect Your Website?
This new batch of data privacy laws share a lot of common characteristics that may affect your website and larger digital marketing efforts. Parts of the laws specifically address privacy policies, the use of cookies and allowing users to exercise their rights to digital privacy.
Protecting the Privacy of Your Customers Matters
This push for data privacy isn’t going away. In addition to the states mentioned in this post, dozens more have introduced legislation aimed at protecting the digital privacy of consumers.
But updating your privacy policy and adding links on your website is actually the easy part of ensuring your business is in compliance with these growing number of laws. There are many backend processes that must occur on an institutional level that allow users to exercise their rights to privacy, including mapping and consistently updating PI sources, and handling access, deletion or correction requests. Your website is really just a resource that lets them do this.
As your digital marketing partner, Responsory is here to help. Whether recommending resources for managing your customer data or updating your website for compliance, we’ll help you navigate the ever-changing landscape of data privacy. Contact us to learn more about implementing your data privacy program on your website today.