More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

The CPRA amends the California Consumer Privacy Act (“CCPA”), which was the first comprehensive privacy law in the United States. The CPRA does not expand the applicability of the CCPA, but does impose a number of new requirements. In addition to creating several new consumer rights, two important CCPA exemptions are no longer in effect as of January 1, 2023: (1) the exemption for certain employment-related information of workforce members, meaning employers’ obligations in handling workforce personal information have significantly expanded; and (2) the temporary exemption for certain business-to-business (“B2B”) personal information, meaning businesses will have to apply expanded requirements to personal information about business partners.

While the CPRA is in effect, the California Privacy Protection Agency (“CPPA”), the new agency created by the CPRA and tasked with enforcing the CCPA, has delayed issuance of final rules. During a December 16, 2022 board meeting, the CPPA Executive Director noted that the final rules will likely be released in late January. Until the final regulations are approved, existing regulations will be in effect.

As we discussed previously, though the state laws going into effect this year diverge in some significant ways, the laws share a common goal of protecting consumer data and, therefore, contain numerous similarities. This checklist of questions below may help your business prepare for compliance with these laws, as well as similar laws that may be enacted by other states in the future.

  • Have you conducted data mapping to identify the types, locations and uses of personal information (including sensitive personal information) collected or used about consumers, workforce members, and individuals obtained in B2B contexts?
  • Have you determined whether the personal information could qualify as a sale or sharing to any third parties?
  • Have you determined if your company is able to generate reports about personal information maintained pertaining to each consumer, and to correct or delete data?
  • To the extent personal information is sold or shared or characteristics are inferred from sensitive personal information, have you decided whether to: (a) comply with the CPRA’s opt-out or restrictions requirements; or (b) take steps to end any further sales, sharing, or inferring of characteristics?
  • Have you revised your website privacy policies?
  • Have you revised or implemented a CPRA privacy policy regarding how workforce members can exercise their data privacy rights?
  • Have you developed administrative processes to manage the response to requests to exercise rights?
  • Have you created governance structures to monitor compliance and coordinate with other departments within your company?
  • How will your organization monitor the rulemaking process in the relevant states and update any policies and practices accordingly?
  • Have you evaluated if your company should engage a reliable third-party auditor to conduct annual cybersecurity audits and privacy impact assessments?
  • Have you identified all service providers, contractors, and third parties that collect or use personal information and ensure that the agreements with such parties comply with any state law requirements?
  • Have you identified any contractual, statutory, or operational needs for retaining personal information, identified any redundant data for deletion, and considered engaging counsel to assist in establishing appropriate record retention policies and communications?

Epstein Becker Green will be closely following the rulemaking process in these states as implementing regulations are developed, and as other states continue to legislate in this area. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.