What’s the difference between CCPA, CPRA, VCDPA, CPA, and CTDPA — and how do I comply with all of them?
Categories:
Magento Developer — United States
They’re state-level privacy laws, all GDPR-flavoured but with different scopes:
- CCPA (California, 2020) — right to know, delete, opt-out of sale
- CPRA (California, 2023) — adds “sensitive personal info” + Cal Privacy Protection Agency
- VCDPA (Virginia, 2023) — opt-in for sensitive data, DPIA requirement
- CPA (Colorado, 2023) — universal opt-out signal (Global Privacy Control)
- CTDPA (Connecticut, 2023) — similar to CPA
Magento doesn’t handle this natively. We deploy a cookie-consent CMP (Cookiebot, OneTrust, or open-source Klaro), per-state-view opt-out flows, and a DSAR automation (data-subject-access requests handled in < 45 days). Configured per state-view, not site-wide — California users see the “Do Not Sell” link, others don’t.
Was this helpful?