Canada’s CTA Messaging Compliance: A Brief Overview
Canada CTA Messaging Compliance: A Brief Overview
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
In the landscape of data privacy legislation, Virginia made a significant move on March 2, 2021, by enacting the Virginia Consumer Data Privacy Act (VCDPA). This landmark law positioned Virginia alongside other states that have embraced comprehensive data privacy measures, such as California, Florida, Colorado, and more. The VCDPA is slated to become enforceable on January 1, 2023, and it brings unique provisions to the table, setting the stage for a new era of data privacy protection.
The VCDPA, similar to many of its counterparts, is designed to empower consumers with enhanced control over their personal data. To ensure compliance, it is crucial to understand the core components of the VCDPA:
To ensure compliance with the VCDPA, it is essential to determine whether the law applies to your business:
While the VCDPA is extensive in its scope, certain entities are exempt from its provisions, including:
To ensure compliance with the VCDPA, follow these essential steps:
The Virginia Consumer Data Privacy Act is set to take effect on January 1, 2023. To prepare for compliance and ensure your business is well-prepared for the VCDPA, consider the following:
If your business falls under the jurisdiction of the Virginia Consumer Data Privacy Act (VCDPA), it’s crucial to initiate compliance preparations well in advance of the effective date. GetTerms offers a range of services to help you efficiently address compliance requirements, including tailored legal policy documentation, staff training, and the generation of cookie consent banners. Take advantage of our solutions today to meet the needs of VCDPA and other relevant privacy regulations.
SUBJECT | Californa (CPRA) | Virginia (VCDPA) | Colorado (CPA) |
---|---|---|---|
APPLICABILITY | For-profits that do business in CA, meeting one of three thresholds:
1. Revenues over $25,000,000; 2. Collect personal information of over 100,000 consumers or households; or 3. Generate at least half of revenues from sales of personal information. |
Persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that:
1. Control or process personal data of at least 100,000 consumers per year; or 2. Control or process personal data of at least 25,000 consumers and derive more than half of gross revenues from the sale of personal data. |
Controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and:
1. Controls or processes the personal data of 100,000 consumers or more during a calendar year; or 2. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. |
PERSONAL DATA | Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, not including publicly available information or deidentified or aggregate consumer information. | Personal data means any information that is linked or reasonably linked to an identified or identifiable natural person, not including de-identified data or publicly available information. | Personal data means information that is linked or reasonably linkable to an identified or identifiable individual, not including publicly available information. |
SENSITIVE INFO. | Sensitive personal information means (in summary) personal information that reveals certain information about a consumer. The specific categories of sensitive personal information are listed in the statute and include data types similar to those listed in Virginia and Colorado, and information such as Social Security number, driver’s license, state identification card or passport numbers, account log-in, financial account, debit card or credit card numbers in combination with any required security or access code, password or credentials allowing access to an account, and precise geolocation. | Sensitive data means a category of personal data that includes data revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected from a known child. | Sensitive data means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. The definition also includes personal data from a known child. |
KEY EXEMPTIONS | [Note: The Personnel and B2B exemptions in CA are scheduled to sunset January 1, 2023, although many expect they will be extended.]
1. Information (not institutions) subject to GLBA or California financial privacy laws 2. Institutions and information subject to HIPAA 3. Data regulated by FCRA, DPPA, FERPA, and others 4. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Non-profit organizations |
1. Institutions subject to GLBA and its implementing regulations
2. Institutions and information subject to HIPAA 3. Personnel data 4. B2B information 5. Data regulated by FCRA, DPPA, FERPA, and others 6. Data maintained by state institutions of higher learning for non-commercial purposes |
CONSUMER RIGHTS | |||
Right of Access | Yes | Yes | Yes |
Right of Portability | Yes | Yes | Yes |
Right to Correct | Yes | Yes | Yes |
Right to Delete | Yes | Yes | Yes |
Opt-out Right | Yes | Yes | Yes |
Opt-in Right for processing Sensitive Data | No
(Note: May limit use and sharing.) |
Yes | Yes |
Non-Discrimination Right | Yes | Yes | No |
Private Right of Action | Yes | No | No |
BUSINESS/CONTROLLER OBLIGATIONS | |||
Notice to Consumers | Yes (Notice at Collection specifically required) | Yes | Yes |
Privacy Policy | Yes (California Privacy Policy specifically required) | No (although required disclosures may be incorporated in the privacy policy) | No (although required disclosures may be incorporated in the privacy policy) |
Contractual Reqs. for Third Party Service Providers/Processors | Yes | Yes | Yes |
Data Processing Impact | No | Yes | Yes |
ENFORCEMENT | |||
Right to Cure | None (Note: the existing right to cure sunsets January 1, 2023) | 30 days | 60 days |
Enforcer | Dedicated enforcement agency (CPPA),
Attorney General, and Private litigants |
Attorney General | Attorney General and District Attorneys |