The VCDPA defines “sale” more narrowly, including only exchanges for monetary consideration. Under the CPA, consumers may opt out of the processing of their personal data for: (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling in further of decisions that produce legal or similarly significant effects concerning a consumer (provision or denial of financial, lending, housing, insurance, education, criminal justice, employment, healthcare, or essential goods or services). The CPA requires that controllers provide a “clear and conspicuous” method to exercise the right to opt-out of the sale of personal data or targeted advertising, which must be in the controller’s privacy notice as well as in a readily accessible location outside the privacy notice. Controllers may also allow users to opt-out through a universal opt-out mechanism that meets technical specifications established by the Attorney General (this becomes mandatory on July 1, 2024). Consumer rights under the CPA are nearly identical to those established by the VCDPA. They are also very similar to those under the CCPA. Under the CPA, controllers have 45 days to fulfill consumer requests (which may be extended another 45 days where reasonably necessary). These timelines are in line with the CCPA and the VCDPA. The CPA’s privacy notice required disclosures are nearly identical to those required by the VCDPA, requiring that controllers provide a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data collected or processed; (ii) the purposes for processing of personal data; (iii) how and where consumers may exercise their rights and how to appeal a controller’s action in response to a request; (iv) categories of personal data shared with third parties; and (v) the categories of third parties with whom the controller shares personal data.
126
Made with FlippingBook - Online Brochure Maker