"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner, Davis+Gilbert.
Everyone in the ad tech industry should have January 1, 2023 highlighted and underscored—twice—on their calendars. That’s the day that both the Virginia Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) take effect, imposing new obligations on businesses engaging in targeted advertising to Virginia and California consumers.
The two laws have some things in common. Both, for example, will require businesses to provide opt-out rights for behavioral advertising. But advertisers should be aware of the key differences between the two laws. These start with the fact that the CDPA’s terms appear to be more flexible and include broader exceptions, which should simplify companies’ efforts to comply with both the CPRA and CDPA..
But there’s more to it than that. Let’s take a look at how the laws differ.
How Do the Two Laws Define “Sale”?
The CDPA limits the definition of “sale” to “the exchange of personal data for monetary consideration.” That definition is narrower than the definition of sale in both the CPRA and its predecessor, the California Consumer Privacy Act (CCPA). In both of those acts, a “sale” involves “monetary or other valuable consideration.” The CDPA’s definition of “sale” might not apply to the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms, since that process often doesn’t involve exchange for “monetary consideration.” A similar interpretation, while once at least plausible under the CCPA, would be precluded under CPRA, which has broader language that expressly applies to any “sharing” of personal information, not just “sales.”
What Types of Advertising Activities Do the Laws Cover?
While the CDPA, unlike the CPRA, doesn’t provide for the right to opt out of the “sharing” of personal information per se, it does give consumers the express right to opt out of processing for “targeted advertising.” It defines “targeted advertising” as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from a consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” However, the CDPA builds in several exceptions to its definition of “targeted advertising,” which include:
- Ads based on activities within a company’s own websites or online applications;
- Ads based on the context of a consumer's current search query, website visit, or online application;
- Ads directed to a consumer based on that consumer’s request for information or feedback; or
- Personal data processed solely to measure or report advertising performance, reach, or frequency.
The CPRA contains a definition for “cross-context behavioral advertising” that’s similar to the CDPA’s targeted advertising definition. The CPRA, too, provides for certain exceptions, particularly with respect to first-party data. Still, it looks as if, for now, the exceptions built into the CDPA will give the companies to which it applies greater flexibility than the CPRA, insofar as their opt-out obligations pertain to targeted advertising.
How Must Companies Notify Consumers About Opt-Out Rights?
The CDPA mandates that companies offer a “reasonably accessible, clear, and meaningful privacy notice” that describes “[h]ow consumers may exercise their consumer rights.” It also requires companies to establish “one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.”
These rules are less prescriptive than California’s, which, through the text of the CPRA and existing CCPA regulations, set specific requirements for a “do not sell or share” link and the contents of the notice itself. For the time being, the CDPA appears to give companies greater leeway concerning the method of notifying consumers about, and providing them with, their opt-out rights.
What About Children Under 16?
Companies operating in California face added obligations for children under 16. In particular, the CPRA requires that businesses obtain affirmative consent to sell or share the personal information of children at least 13 years of age and under 16, effectively creating an “opt-in” requirement for those consumers. (Even stricter requirements apply for children under 13.) There’s no similar requirement under the CDPA, which grants teenagers and adult users the same opt-out rights.
What Do They Say About Mandatory Data Assessments?
Finally, the CDPA requires a company that sells personal data or processes it for targeted advertising to conduct and document a “data protection assessment” of these activities, identifying and weighing the benefits of the processing activity against the potential risks to consumer rights. It also requires that companies make data protection assessments available to the Virginia Attorney General upon request during investigations.
The CPRA goes farther, requiring businesses to submit mandatory “risk assessments” to state regulators not upon request, but on a “regular basis.”
The Bottom Line
Although further guidance is expected to clarify matters, the CDPA’s terms applicable to targeted advertising appear less prescriptive and include broader opt-out exceptions than the CPRA.