Required Actions for Privacy Rights Laws Now in Effect
January 12, 2023
With the start of the new year, the U.S. privacy law landscape is now more complex than ever, as the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA)—which impact businesses beyond those state borders—have now taken effect.
The CPRA brings a number of amendments to the California Consumer Privacy Act (CCPA) and sets the California Privacy Protection Agency as the agency in charge of enforcement. Virginia's CDPA is similar in some respects, but is generally considered simpler to comply with than the CPRA.
CPRA vs. CDPA
Notable among the provisions that are different from the CPRA, the CDPA provides a broader affirmative consent or opt-in requirement for consumers, a broader opt-out right, an obligation to confirm data processing, broader data deletion requirements, a conspicuous disclosure of a mandatory right to appeal the denial of consumer rights, different data minimization standards, and other measures. On the data security front, while the CPRA does not yet require it (but is expected to beginning July 1, 2023), the CDPA requires mandatory data protection. Compliance will likely be checked against the requirements set in the Cybersecurity Framework set by the National Institute of Science and Technology (NIST).
Overall, these laws make it clear that compliance with privacy requirements can be complex and tricky to accomplish. This is frequently the case because, for example, these laws apply to businesses that do not have a physical location in either of these states and the nuanced differences can be missed.
We Can Help
Maslon can help guide your process to determine the steps your company should take to avoid any regulatory action.