Termly Now Covers the CPRA and Virginia’s CDPA

Termly’s Privacy Policy Generator officially covers the guidelines and requirements outlined by the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA)  — two new extraterritorial US data privacy laws that came into effect on January 1, 2023.

We’ve also incorporated these updates into our free privacy policy template!

Termly’s CPRA and CDPA Update

Developed by our product engineers, legal team, and data privacy experts, our policy builder now walks you through the creation of the proper clauses and new legal definitions in line with both of these laws.

We’ve also updated our internal tooltips and help features so you can easily build a privacy policy that complies with the CPRA and the CDPA in minutes.

If you fall under the legal threshold of the CPRA, our generator now offers details about:

• Sensitive personal information
• Selling and sharing of personal information in line with the legal definitions
• Updated information about profiling
• Data storage limitation details

For businesses under the Virginia CDPA, our generator now provides you with options for:

• Sensitive personal information
• Selling of personal information in line with the legal definition
• Consumers’ rights to access, correct, request to delete, or obtain a copy of their personal data
• Consumers’ rights to opt out of the processing of personal data for targeted advertising, selling of personal data, or profiling

By expanding our offerings and remaining up to date, our generator helps businesses comply with seven different data privacy laws from around the globe, including all relevant US, UK, European Union (EU), and Canadian legislation.

What Is the CPRA?

In 2020, residents of California voted to turn the California Privacy Rights Act (CPRA) into state law, amending the previous data privacy legislation called the California Consumer Protection Act (CCPA).

The CPRA introduces the concept of sharing personal information and adds a distinct category of sensitive personal information.

Any CCPA regulation unaffected by the CPRA amendments will remain in place.

The CPRA covers any for-profit business collecting data from California residents that meets one or more of the following:

• Generates over $25 million in gross annual revenue as of January 1 of the previous year
• Buys, receives, sells, or shares personal information of 100,000 or more consumers
• Derives 50% or more gross annual revenue from the sharing or selling of personal data

Businesses under the jurisdiction of the CPRA must:

• Actively implement reasonable security procedures and practices to protect consumer personal information
• Follow specific contractual obligations if you share, sell, or disclose personal information to contractors, third parties, or service providers
• Only retain personal information for as long as reasonably necessary for the purpose it was collected
• Respect consumers’ opt-out choices through a “Do Not Sell or Share My Personal Information” link, a “Limit the Use of My Sensitive Personal Information” link, or by honoring Global Privacy Control settings on users’ browsers.

New rights granted to consumers under this law include:

• The right to request to correct their personal information
• The right to limit the use and disclosure of sensitive personal information

The CPRA also expands upon some rights defined initially under the CCPA. The updated amendments grant Californians the right to:

• Delete their personal information and have it deleted by any third party it was shared with
• Request more access to their data by clarifying the concepts of sharing and disclosing  information
• More information about the collection, sources, and commercial purposes for gathering consumer data, as outlined in a privacy policy
• Be informed about who their personal information is sold or shared with
• Opt out of the sharing of their personal information
• Non-discrimination in the context of employees, applicants for employment, and independent contractors

Penalties for non-compliance under the CPRA include fines of $2,500 per incident or up to $7,500 per intentional incident and are enforced by the California Attorney General or private lawsuits.

How Termly Is Helping Our Users Comply With the CPRA

We’re helping our users comply with the CPRA by updating our Privacy Policy Generator and our free privacy policy template to reflect the new user rights and the relevant business obligations created by this law.

Our template and generator now reflect the law’s new definition of sharing personal data and the addition of the category of sensitive personal information. We provide updated tooltips and help features about the CPRA’s legal definitions.

We’ve also added a clause focusing on the data storage limitation details and revised the content about user profiling to match the CPRA amendments.

What Is the Virginia CDPA?

As the first data privacy law enacted by the state, the Virginia Consumer Data Protection Act (CDPA) provides rights to consumers and creates obligations for businesses over collecting, storing, and using personal user data.

The CDPA applies to persons or entities conducting business in Virginia or producing products and services targeted to residents of the state that meet one of the following:

• Controls or processes the personal data of at least 100,000 consumers
• Derives 50% of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 consumers

Entities that qualify as data controllers under this law must:

• Provide consumers with a clear, reasonably accessible, and meaningful privacy policy
• Present and explain all consumer rights in a clear manner
• Comply with the requirements of proportionality, necessity, and establish security safeguards
• Clearly and conspicuously disclose wherever personal data is sold to third parties or processed for targeted advertising
• Provide a manner in which consumers can opt out of the selling of their personal data to third parties or the processing of personal data for targeted advertising

Under this law, Virginia consumers have the right to:

• Confirm if a controller is processing the consumer’s personal data
• Access the personal data processed by controllers
• Correct inaccuracies in the consumer personal data
• Delete personal data provided by or obtained about the consumer
• Obtain a portable copy of the personal data the consumer provided to the controller, when technically feasible
• Opt out of the processing of personal data for targeted advertisements
• Opt out of the sale of personal data
• Opt out of profiling in furtherance of decisions that produce legal or similar effects

The penalties for non-compliance under the CDPA include fines of up to $7,500 for each violation or civil penalty, as enforced by the Virginia Attorney General.

How Termly Is Helping Our Users Comply with the CDPA

To help our users comply with the CDPA, we’ve updated our Privacy Policy Generator and free privacy policy template to reflect the responsibilities outlined for businesses and the new user rights granted by this law.

If you meet the legal thresholds of the CDPA, our privacy policy tools now provide clauses to help you outline the rights your Virginia users have over their data, including details relevant to the law’s definition of sensitive personal information and the selling of user data.

We also included and updated our tooltips and help features to reflect the most recent interpretations of the law to help you quickly and easily create a compliant privacy agreement.

For our current customers, we send out email updates and news, including information about what responsibilities you need to independently follow through on, in tandem with the use of our products, to keep your business in line with this new law.

Termly Is Always Up To Date

Our team of product engineers, lawyers, and data privacy experts develop, update, and maintain our entire suite of compliance tools, so you can trust that Termly products are consistently up to date.

We believe in transparency and will always inform our customers about any major changes we’re implementing to our tools that may impact privacy compliance, including information about new and developing laws.

You can also access our resource center, which we add to constantly, to see relevant news, coverage of upcoming data privacy legislation, infographics, and factual information to help you better understand the importance of data privacy compliance.

If it’s Termly, you can trust it.

Summary

Our product engineers, with the assistance of our legal team and data privacy experts, have officially completed updates to our Privacy Policy Generator and free privacy policy template to reflect all changes implemented by two new US data privacy laws:

• The California Privacy Rights Act (CPRA) 
• The Virginia Consumer Data Protection Act (CDPA)

These two laws join the following list of other global data privacy legislation that our generator and template are built to comply with:

• General Data Protection Regulation (GDPR)
• California Consumer Protection Act (CCPA)
• California Online Privacy Protection Act (CalOPPA)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• The UK GDPR

Keep an eye out for future updates about new laws and compliance regulations we’re adding to our full suite of compliance products.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author