BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, establishing some of the most comprehensive consumer privacy rights within the United States. In this post we highlight these changes in law and provide a checklist to help companies comply with these new legal challenges.

Quick Recap of CCPA

Influenced by the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), which went into effect in 2020, created an array of new consumer privacy rights, allowing California consumers to make direct requests to companies to disclose what personal information of such individuals the companies had shared and to delete or no longer share the information. In turn, many companies doing business in California had to reassess their data collection and use processes to accommodate these new consumer rights.

CPRA Amends CCPA

The CPRA, also known as Proposition 24, amends the CCPA in the following ways:

  • Creates a new process for consumers to correct their personal information
  • Builds in new consumer opt-out rights
  • Creates a more comprehensive process for companies to provide disclosed information to consumers
  • Creates more comprehensive requirements surrounding data retention, data minimization, and purpose of use
  • Requires companies to include additional data security provisions in their contracts with service providers and data processors
  • Creates increased audit requirements, including periodic risk assessments and independent cybersecurity audits

VCDPA Mirrors Other Privacy Acts

Building off the frameworks of the GDPR, CCPA, and CPRA, the VCDPA expands consumer protection rights by permitting Virginia consumers correction and opt-out rights with respect to their personal information. In turn, many companies doing business in Virginia must reassess their data collection and use processes just as they have been required to do in California.

State Privacy Law Checklist

To help businesses prepare for these new state privacy laws in 2023, our privacy and cybersecurity team has created a state privacy law checklist. The checklist helps companies determine whether a state privacy law applies to them, and includes actionable steps companies can take to ensure compliance.

View the State Privacy Law for CPRA Plus Compliance Checklist >>

Also check out our US Consumer Privacy Acts resource center for more information, including on the Colorado Privacy Act, which takes effect July 1, 2023.