A Legal Guide to PRIVACY AND DATA SECURITY 2024

Consumer rights under the CPA are nearly identical to those established by the VCDPA. They are also very similar to those under the CCPA. Under the CPA, controllers have 45 days to fulfill consumer requests (which may be extended another 45 days where reasonably necessary). These timelines are in line with the CCPA and the VCDPA. The CPA’s privacy notice required disclosures are nearly identical to those required by the VCDPA, requiring that controllers provide a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data collected or processed; (ii) the purposes for processing of personal data; (iii) how and where consumers may exercise their rights and how to appeal a controller’s action in response to a request; (iv) categories of personal data shared with third parties; and (v) the categories of third parties with whom the controller shares personal data. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing. It is important to note that the CPA uses a heightened “consent” standard that is similar to the standard used by the CPRA. “Consent” under the CPA means “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.” The CPA states that the following does not constitute “consent”: (a) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (b) hovering over, muting, pausing, or closing a given piece of content; and (c) agreement obtained through dark patterns (a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice).

120

Made with FlippingBook - Online Brochure Maker