There’s been plenty of chatter about Google’s third-party cookie phase-out of late, but it’s been a minute since we touched on the CDPA and the CPRA, two critical pieces of legislation surrounding consumer data privacy. On January 1, 2023, both the Virginia Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) will take effect, forcing businesses in the two states to follow specific rules surrounding targeted advertising. Following is a look at how the two differ and what’s covered under each law, according to a piece in AdExchanger from Richard Eisert, Partner at Davis + Gilbert.
Defining “Sale”
The CDPA’s definition of sale is limited to “the exchange of personal data for monetary consideration,” which is narrower than CPRA’s definition, which involves “monetary or other valuable consideration.” So the CDPA may not apply to exchanging personal information, like cookie data, for targeted advertising purposes. Meanwhile, the CPRA’s broader language applies to “sharing” and not just “sales.”
Types of Advertising
The CDPA gives consumers the right to opt out of processing for “targeted advertising,” but it provides several exceptions, including ads based on activities with a company’s websites or applications; ads based on a consumer’s search query; ads directed to a consumers based on their request; and personal data processed to measure advertising performance. The CPRA also includes exceptions, particularly regarding first-party data. But overall, the CDPA gives companies greater flexibility in terms of opt-out obligations relating to targeted advertising.
For more on the differences between the two laws, including notification of opt-out rights, obligations to children under 16 and mandatory data assessments, read on in AdExchanger.