Termly’s CPRA and CDPA Update
Developed by our product engineers, legal team, and data privacy experts, our policy builder now walks you through the creation of the proper clauses and new legal definitions in line with both of these laws.
If you fall under the legal threshold of the CPRA, our generator now offers details about:
- Sensitive personal information
- Selling and sharing of personal information in line with the legal definitions
- Updated information about profiling
- Data storage limitation details
For businesses under the Virginia CDPA, our generator now provides you with options for:
- Sensitive personal information
- Selling of personal information in line with the legal definition
- Consumers’ rights to access, correct, request to delete, or obtain a copy of their personal data
- Consumers’ rights to opt out of the processing of personal data for targeted advertising, selling of personal data, or profiling
By expanding our offerings and remaining up to date, our generator helps businesses comply with seven different data privacy laws from around the globe, including all relevant US, UK, European Union (EU), and Canadian legislation.
What Is the CPRA?
In 2020, residents of California voted to turn the California Privacy Rights Act (CPRA) into state law, amending the previous data privacy legislation called the California Consumer Protection Act (CCPA).
The CPRA introduces the concept of sharing personal information and adds a distinct category of sensitive personal information.
Any CCPA regulation unaffected by the CPRA amendments will remain in place.
The CPRA covers any for-profit business collecting data from California residents that meets one or more of the following:
- Generates over $25 million in gross annual revenue as of January 1 of the previous year
- Buys, receives, sells, or shares personal information of 100,000 or more consumers
- Derives 50% or more gross annual revenue from the sharing or selling of personal data
Businesses under the jurisdiction of the CPRA must:
- Actively implement reasonable security procedures and practices to protect consumer personal information
- Follow specific contractual obligations if you share, sell, or disclose personal information to contractors, third parties, or service providers
- Only retain personal information for as long as reasonably necessary for the purpose it was collected
- Respect consumers’ opt-out choices through a “Do Not Sell or Share My Personal Information” link, a “Limit the Use of My Sensitive Personal Information” link, or by honoring Global Privacy Control settings on users’ browsers.
New rights granted to consumers under this law include:
- The right to request to correct their personal information
- The right to limit the use and disclosure of sensitive personal information
The CPRA also expands upon some rights defined initially under the CCPA. The updated amendments grant Californians the right to:
- Delete their personal information and have it deleted by any third party it was shared with
- Request more access to their data by clarifying the concepts of sharing and disclosing information
- Be informed about who their personal information is sold or shared with
- Opt out of the sharing of their personal information
- Non-discrimination in the context of employees, applicants for employment, and independent contractors
Penalties for non-compliance under the CPRA include fines of $2,500 per incident or up to $7,500 per intentional incident and are enforced by the California Attorney General or private lawsuits.
How Termly Is Helping Our Users Comply With the CPRA
Our template and generator now reflect the law’s new definition of sharing personal data and the addition of the category of sensitive personal information. We provide updated tooltips and help features about the CPRA’s legal definitions.
We’ve also added a clause focusing on the data storage limitation details and revised the content about user profiling to match the CPRA amendments.
What Is the Virginia CDPA?
As the first data privacy law enacted by the state, the Virginia Consumer Data Protection Act (CDPA) provides rights to consumers and creates obligations for businesses over collecting, storing, and using personal user data.
The CDPA applies to persons or entities conducting business in Virginia or producing products and services targeted to residents of the state that meet one of the following:
- Controls or processes the personal data of at least 100,000 consumers
- Derives 50% of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers
Entities that qualify as data controllers under this law must:
- Present and explain all consumer rights in a clear manner
- Comply with the requirements of proportionality, necessity, and establish security safeguards
- Clearly and conspicuously disclose wherever personal data is sold to third parties or processed for targeted advertising
- Provide a manner in which consumers can opt out of the selling of their personal data to third parties or the processing of personal data for targeted advertising
Under this law, Virginia consumers have the right to:
- Confirm if a controller is processing the consumer’s personal data
- Access the personal data processed by controllers
- Correct inaccuracies in the consumer personal data
- Delete personal data provided by or obtained about the consumer
- Obtain a portable copy of the personal data the consumer provided to the controller, when technically feasible
- Opt out of the processing of personal data for targeted advertisements
- Opt out of the sale of personal data
- Opt out of profiling in furtherance of decisions that produce legal or similar effects
The penalties for non-compliance under the CDPA include fines of up to $7,500 for each violation or civil penalty, as enforced by the Virginia Attorney General.
How Termly Is Helping Our Users Comply with the CDPA
We also included and updated our tooltips and help features to reflect the most recent interpretations of the law to help you quickly and easily create a compliant privacy agreement.
For our current customers, we send out email updates and news, including information about what responsibilities you need to independently follow through on, in tandem with the use of our products, to keep your business in line with this new law.
Termly Is Always Up To Date
Our team of product engineers, lawyers, and data privacy experts develop, update, and maintain our entire suite of compliance tools, so you can trust that Termly products are consistently up to date.
We believe in transparency and will always inform our customers about any major changes we’re implementing to our tools that may impact privacy compliance, including information about new and developing laws.
You can also access our resource center, which we add to constantly, to see relevant news, coverage of upcoming data privacy legislation, infographics, and factual information to help you better understand the importance of data privacy compliance.
If it’s Termly, you can trust it.
These two laws join the following list of other global data privacy legislation that our generator and template are built to comply with:
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- The UK GDPR
Keep an eye out for future updates about new laws and compliance regulations we’re adding to our full suite of compliance products.