• The VCDPA does not include a private right of action. The Virginia attorney general can, however, seek fines for failure to cure a violation of up to $7,500 per violation. Colorado Colorado has now joined California and Virginia to become the third US state to pass a comprehensive data privacy law-the Colorado Privacy Act (the “CPA”). The CPA became effective July 1, 2023. The CPA borrows in part from the European Union’s General Data Protection Regulation (“GDPR”), but more significantly from both the California Consumer Privacy Act (“CCPA”, including as amended by the California Privacy Rights Act (“CPRA”)), and the Virginia Consumer Data Protection Act (“VCDPA”). The definition of “sale” in the CPA is nearly identical to the CCPA definition, and includes any exchange for monetary or other valuable consideration . The VCDPA defines “sale” more narrowly, including only exchanges for monetary consideration. Under the CPA, consumers may opt out of the processing of their personal data for: (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling in further of decisions that produce legal or similarly significant effects concerning a consumer (provision or denial of financial, lending, housing, insurance, education, criminal justice, employment, healthcare, or essential goods or services). The CPA requires that controllers provide a “clear and conspicuous” method to exercise the right to opt-out of the sale of personal data or targeted advertising, which must be in the controller’s privacy notice as well as in a readily accessible location outside the privacy notice. Controllers may also allow users to opt-out through a universal opt-out mechanism that meets technical specifications established by the Attorney General (this becomes mandatory on July 1, 2024).
119
Made with FlippingBook - Online Brochure Maker