• Similar to the GDPR, mandatory data protection assessments are required for sales, targeted advertising, and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment. • The roles of controllers and processors are defined with specific processor role-based requirements and obligations to provide assistance to and adhere to the controller’s instructions and to demonstrate compliance with processor obligations. There is some good news for businesses: • Employee data and B2B data is not covered under VCDPA. Personal data under the VCDPA excludes employee, business-to-business data, de-identified data, and publicly available information. • “Sale” of data under the VCDPA is narrower than the CCPA and is limited to the exchange of personal data for monetary consideration by a controller to a third party. • The VCDPA does not include a private right of action. The Virginia attorney general can, however, seek fines for failure to cure a violation of up to $7,500 per violation. Colorado Colorado has now joined California and Virginia to become the third US state to pass a comprehensive data privacy law-the Colorado Privacy Act (the “CPA”). The CPA became effective July 1, 2023. The CPA borrows in part from the European Union’s General Data Protection Regulation (“GDPR”), but more significantly from both the California Consumer Privacy Act (“CCPA”, including as amended by the California Privacy Rights Act (“CPRA”)), and the Virginia Consumer Data Protection Act (“VCDPA”). The definition of “sale” in the CPA is nearly identical to the CCPA definition, and includes any exchange for monetary or other valuable consideration .
125
Made with FlippingBook - Online Brochure Maker