More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

The CPRA amends the California Consumer Privacy Act (“CCPA”), which was the first comprehensive privacy law in the United States. The CPRA does not expand the applicability of the CCPA, but does impose a number of new requirements. In addition to creating several new consumer rights, two important CCPA exemptions are no longer in effect as of January 1, 2023: (1) the exemption for certain employment-related information of workforce members, meaning employers’ obligations in handling workforce personal information have significantly expanded; and (2) the temporary exemption for certain business-to-business (“B2B”) personal information, meaning businesses will have to apply expanded requirements to personal information about business partners.

While the CPRA is in effect, the California Privacy Protection Agency (“CPPA”), the new agency created by the CPRA and tasked with enforcing the CCPA, has delayed issuance of final rules. During a December 16, 2022 board meeting, the CPPA Executive Director noted that the final rules will likely be released in late January. Until the final regulations are approved, existing regulations will be in effect.

As we discussed previously, though the state laws going into effect this year diverge in some significant ways, the laws share a common goal of protecting consumer data and, therefore, contain numerous similarities. This checklist of questions below may help your business prepare for compliance with these laws, as well as similar laws that may be enacted by other states in the future.

  • Have you conducted data mapping to identify the types, locations and uses of personal information (including sensitive personal information) collected or used about consumers, workforce members, and individuals obtained in B2B contexts?
  • Have you determined whether the personal information could qualify as a sale or sharing to any third parties?
  • Have you determined if your company is able to generate reports about personal information maintained pertaining to each consumer, and to correct or delete data?
  • To the extent personal information is sold or shared or characteristics are inferred from sensitive personal information, have you decided whether to: (a) comply with the CPRA’s opt-out or restrictions requirements; or (b) take steps to end any further sales, sharing, or inferring of characteristics?
  • Have you revised your website privacy policies?
  • Have you revised or implemented a CPRA privacy policy regarding how workforce members can exercise their data privacy rights?
  • Have you developed administrative processes to manage the response to requests to exercise rights?
  • Have you created governance structures to monitor compliance and coordinate with other departments within your company?
  • How will your organization monitor the rulemaking process in the relevant states and update any policies and practices accordingly?
  • Have you evaluated if your company should engage a reliable third-party auditor to conduct annual cybersecurity audits and privacy impact assessments?
  • Have you identified all service providers, contractors, and third parties that collect or use personal information and ensure that the agreements with such parties comply with any state law requirements?
  • Have you identified any contractual, statutory, or operational needs for retaining personal information, identified any redundant data for deletion, and considered engaging counsel to assist in establishing appropriate record retention policies and communications?

Epstein Becker Green will be closely following the rulemaking process in these states as implementing regulations are developed, and as other states continue to legislate in this area. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post.