What are the CPRA, CPA, VCDPA, and CTDPA?

By Ian Nadeau on December 1, 2022

Artificial intelligence (AI) is an invaluable tool for ecommerce as it enables brands to personalize experiences at scale using algorithmic models that segment visitors and trigger actions in real-time. Because of this, brands are becoming increasingly reliant on the machine learning (ML) function of AI — especially as a predictive solution to counteract the rise in anonymous consumers. However, today’s AI could be tomorrow’s outlaw as upcoming privacy acts are set to regulate much of the consumer data that currenlty fuels its decisioning.

The rate of AI implementation has uncovered new privacy risks, mostly concerning the massive personal data that’s required for ML to accurately make predictions. The General Data Protection and Regulation (GDPR) and California Consumer Privacy Act (CCPA) both pioneered privacy protections that gave consumers greater control over what data is collected, how it can be used, and more. These acts severely trimmed the amount of usable personal data ecommerce brands can leverage for profiling consumers — and they were just the beginning. 

According to Gartner, 65% of the world’s population will have their personal data covered under modern privacy regulations by the end of 2023. We’re starting to see that prediction become reality with the following all taking effect in the near future.

  • California Privacy Rights Act (CPRA) (amends the CCPA)
  • Colorado Privacy Act (CPA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Connecticut Data Privacy Act (CTDPA) 

Each of these privacy regulations allow consumers to opt-out of the automated processing of their personally identifiable information (PII) for the intent of profiling. Further, they create new compliance measures that brands need to consider, such as explaining the logic behind their automated decisions, how to avoid harmful automated decisions (e.g., employment or lending eligibility), and data deletion requests. 


The CCPA didn’t account for automated decisioning, making the CPRA a modernization of the original act. The updates come in the form of defining “profiling” — the automated processing of PII to evaluate and make predictions concerning that individuals work performance, economic situation, health, preferences, interests, reliability, behavior, location or movements — as well as opt-out options regarding a brand’s use of AI technology. The CPRA is also determined to increase the level of transparency by asking brands to provide the reasoning behind their automated decisioning and the likely outcome with respect to the consumer. 

The CPRA becomes effective on January 1, 2023. 


The CPA gives residents of Colorado the right to opt-out of targeted advertising, the sale of their PII (defined as information that is linked or reasonably linked to an identified individual), and numerous types of identity profiling. Beginning July 1, 2024, controllers have to account for user-selected universal opt-outs regarding targeted sales and advertising efforts. The CPA also provides Colorado residents with the ability to access, correct, and remove their PII — as well as the right to obtain and reuse their personal data for their own purposes across different services (aka data portability). 


The VCDPA provides residents of Virginia with a set of new privacy-first rights, including: The right to know, access and confirm personal data; The right to delete personal data; The right to correct inaccuracies in personal data; The right to data portability; The right to opt-out of the processing of personal data for targeted advertising purposes; The right to opt-out of the sale of personal data; The right to opt-out of profiling based upon personal data; And the right to not be discriminated against for exercising any of the foregoing rights.

Companies subject to the VCDPA have to get consent from individuals prior to collecting and using certain PII, such as geolocation, protected characteristics, and genetic data. Further, the VCDPA states that companies keep only the data that’s required for specific purposes and no longer than necessary. 

The VCDPA takes effect on January 1, 2023. 


The CTDPA gives Connecticut residents the right to opt-out of providing brands with access to their sensitive data. Sensitive data is defined by the CTDPA as racial or ethnic origin, religious beliefs, genetic or biometric information, precise geolocation, and more. The CTDPA also requires that data controllers fulfill data protection principles (e.g., data minimization and purpose limitation). This ensures that data collection is “adequate, relevant, and necessary.” 

Data controllers have to provide greater data security under the CTDPA by creating sufficient physical, technical, and administrative safeguards. Processing activities that present a heightened risk of harm — targeted advertising, profiling, sales of personal data, or processing sensitive information — dictates that the data controller needs to conduct even further protection assessments.

The CTDPA takes effect on July 1, 2023. 

The impact to AI for ecommerce

All the new regulations have language around protection from the processing of personal data to profile and target through the use of automated decision-making — two areas where today’s AI shines. If your business is leveraging AI with PII, compliance should be your main goal heading into 2023. However, removing PII from ecommerce marketing efforts may not seem like a viable option. Fortunately, there’s a way to segment and target without the use of PII — Session AI in-session marketing.

With in-session marketing, a retailer uncovers more relevant contextual data needed to drive conversions without having to personally identify the site visitor, as it doesn’t require historical, demographic, PII, or CRM data to be successful. 

“You have to have a solution that enables value-add to that population that focuses on results rather than identification. In-session marketing, being able to understand the session behavior without having historical context, is where retailers must look to optimize their ecommerce revenue. That’s where the focus needs to go.”

Debjani Deb, CEO of Session AI

Learn more about the Session AI platform and how it helps ecommerce leaders solve the challenges of a privacy-first world

Featured posts

website visitors are becoming increasingly anonymous

We are living in the Age of the Anonymous. How will you respond?

Consumers are pushing back against personal data collection of every kind. See three important ways retailers should adjust to meet the expectations of privacy-conscious consumers.

Read Blog
Shoptalk 2024 insights

What got my attention at Shoptalk 2024

Session AI CEO, Debjani Deb, shares her key insights from Shoptalk 2024 including what’s driving the hype behind AI and emerging business models that are disrupting the retail industry.

Read Blog
The four big themes at Shoptalk 2024

Talking Shop: The four big themes of Shoptalk 2024

See what trends are top of mind for leading retailers and brands at Shoptalk 2024, including AI and building an excellent customer experience.

Read Blog

Request a demo

Apply now