Kristen Mathews spoke to CSO about Virginia enacting the Consumer Data Protection Act (CDPA), a consumer data protection law along the lines of the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights and Enforcement Act (CPRA).
“The CDPA is basically a combination of the CCPA, CPRA, and GDPR,” Kristen said, but added that there are many differences between the Virginia bill and its counterparts.
For example, “the definition of personal information in the CDPA is narrow because it only includes data that is identifiable to a natural person, as opposed to data that is identifiable to a device or a household,” Kristen said.
Another difference deals with the de-identification of data, which businesses often implement to avoid privacy laws’ burdens. “The CDPA has conditions on de-identification that are beyond the conditions that are present in the CCPA and the CPRA,” she added. “There are more hurdles to successfully de-identifying data under the Virginia law.”
Read the full article.