What are the CPRA, CPA, VCDPA, and CTDPA?

How the latest privacy regulations will impact AI for eCommerce

By Ian Nadeau December 1, 2022
What are the CPRA, CPA, VCDPA, and CTDPA?

Artificial intelligence (AI) is an invaluable tool for eCommerce as it enables brands to personalize experiences at scale using algorithmic models that segment visitors and trigger actions in real-time. Because of this, brands are becoming increasingly reliant on the machine learning (ML) function of AI — especially as a predictive solution to counteract the rise in anonymous consumers. However, today’s AI could be tomorrow’s outlaw as upcoming privacy acts are set to regulate much of the consumer data that currenlty fuels its decisioning.

The rate of AI implementation has uncovered new privacy risks, mostly concerning the massive personal data that’s required for ML to accurately make predictions. The General Data Protection and Regulation (GDPR) and California Consumer Privacy Act (CCPA) both pioneered privacy protections that gave consumers greater control over what data is collected, how it can be used, and more. These acts severely trimmed the amount of usable personal data eCommerce brands can leverage for profiling consumers — and they were just the beginning. 

According to Gartner, 65% of the world’s population will have their personal data covered under modern privacy regulations by the end of 2023. We’re starting to see that prediction become reality with the following all taking effect in the near future.

California Privacy Rights Act (CPRA) (amends the CCPA)
Colorado Privacy Act (CPA)
Virginia Consumer Data Protection Act (VCDPA)
Connecticut Data Privacy Act (CTDPA) 

Each of these privacy regulations allow consumers to opt-out of the automated processing of their personally identifiable information (PII) for the intent of profiling. Further, they create new compliance measures that brands need to consider, such as explaining the logic behind their automated decisions, how to avoid harmful automated decisions (e.g., employment or lending eligibility), and data deletion requests. 

CPRA

The CCPA didn’t account for automated decisioning, making the CPRA a modernization of the original act. The updates come in the form of defining “profiling” — the automated processing of PII to evaluate and make predictions concerning that individuals work performance, economic situation, health, preferences, interests, reliability, behavior, location or movements — as well as opt-out options regarding a brand’s use of AI technology. The CPRA is also determined to increase the level of transparency by asking brands to provide the reasoning behind their automated decisioning and the likely outcome with respect to the consumer. 

The CPRA becomes effective on January 1, 2023. 

CPA

The CPA gives residents of Colorado the right to opt-out of targeted advertising, the sale of their PII (defined as information that is linked or reasonably linked to an identified individual), and numerous types of identity profiling. Beginning July 1, 2024, controllers have to account for user-selected universal opt-outs regarding targeted sales and advertising efforts. The CPA also provides Colorado residents with the ability to access, correct, and remove their PII — as well as the right to obtain and reuse their personal data for their own purposes across different services (aka data portability). 

VCDPA 

The VCDPA provides residents of Virginia with a set of new privacy-first rights, including: The right to know, access and confirm personal data; The right to delete personal data; The right to correct inaccuracies in personal data; The right to data portability; The right to opt-out of the processing of personal data for targeted advertising purposes; The right to opt-out of the sale of personal data; The right to opt-out of profiling based upon personal data; And the right to not be discriminated against for exercising any of the foregoing rights.

Companies subject to the VCDPA have to get consent from individuals prior to collecting and using certain PII, such as geolocation, protected characteristics, and genetic data. Further, the VCDPA states that companies keep only the data that’s required for specific purposes and no longer than necessary. 

The VCDPA takes effect on January 1, 2023. 

CTDPA

The CTDPA gives Connecticut residents the right to opt-out of providing brands with access to their sensitive data. Sensitive data is defined by the CTDPA as racial or ethnic origin, religious beliefs, genetic or biometric information, precise geolocation, and more. The CTDPA also requires that data controllers fulfill data protection principles (e.g., data minimization and purpose limitation). This ensures that data collection is “adequate, relevant, and necessary.” 

Data controllers have to provide greater data security under the CTDPA by creating sufficient physical, technical, and administrative safeguards. Processing activities that present a heightened risk of harm — targeted advertising, profiling, sales of personal data, or processing sensitive information — dictates that the data controller needs to conduct even further protection assessments.

The CTDPA takes effect on July 1, 2023. 

The Impact to AI for eCommerce

All the new regulations have language around protection from the processing of personal data to profile and target through the use of automated decision-making — two areas where today’s AI shines. If your business is leveraging AI with PII, compliance should be your main goal heading into 2023. However, removing PII from eCommerce marketing efforts may not seem like a viable option. Fortunately, there’s a way to segment and target without the use of PII — ZineOne in-session marketing.

With in-session marketing, a retailer uncovers more relevant contextual data needed to drive conversions without having to personally identify the site visitor, as it doesn’t require historical, demographic, PII, or CRM data to be successful. 

“You have to have a solution that enables value-add to that population that focuses on results rather than identification. In-session marketing, being able to understand the session behavior without having historical context, is where retailers must look to optimize their eCommerce revenue. That’s where the focus needs to go.”

Debjani Deb, CEO of ZineOne

Learn more about the ZineOne platform and how it helps eCommerce leaders solve the challenges of a privacy-first world

You might also be interested in

Takeways from NRF 2023 NRF 2023 Takeaways: Retail Set to Combat Uncertainty with Agility
The retail industry and the behaviors of its consumers are continually shifting as inflation increases, budgets decrease, and…
Read More
Ecommerce revenue growth when resources are shrinking How to drive ecommerce revenue growth with shrinking resources
Key areas a digital brand can improve — without adding more manpower or budget — to help drive…
Read More
post-purchase experiences to grow brand loyalty and build revenue Post-Purchase Experiences: Building Loyalty and Growing Revenue After Checkout
Rising acquisition costs and declining consumer spending have eCommerce brands searching for new avenues to avoid a sharp…
Read More

Request a Demo

We look forward to getting to know your business!

Thank You for submitting the form