Client Alert

A MoFo Privacy Minute Q&A (18 May 2021)

18 May 2021

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: The new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will be operative on January 1, 2023. That seems like a lot of time to prepare, and the CPRA regulations are not out yet. When should I begin, and how can I phase out the work over 2021 and 2022?


There are several good reasons not to wait to begin preparing for the CPRA and VCDPA.

One, there are several new requirements under these laws that will require coordination among legal, information technology, marketing, and other business units, which takes time.

Two, there are several new requirements that require changes to back-end practices, which take time to decide upon and implement.

Three, working on these laws over the course of 2021 and 2022 allows you to spread the budget across two years.

Four, no one enjoys the ninth-hour rush that comes from leaving things to the last minute.

To help businesses phase the CPRA and VCDPA work over 2021 and 2022, we suggest this order of priorities:



  • Prepare to fold employee personal information and personal information of business representatives into your CCPA compliance program (CA), including how you will receive and honor their CPRA requests.
  • Businesses need to have legacy agreements with service providers/processors (CA and VA) and other third parties (CA) amended by 1/1/23. To achieve this, businesses should start using the new addenda in agreements they enter into now.
  • Prepare internal written guidelines on de-identification, aggregation, and pseudonymization to meet the criteria of CPRA and VCDPA.
  • Prepare an internal written data retention policy with criteria for how long each category of personal information will be retained (CA).
  • If you are a service provider to businesses, determine what, if anything, you must change about the scope of your use of personal data that you process for your business customers.
  • Determine whether you process sensitive personal information/data (as defined differently by CPRA and VCDPA) and, if so, plan to give consumers the required opt-out (CA) and opt-in (VA) rights.
  • Determine whether you “sell” or “share” personal information, or use it for targeted advertising or automated decisions, and determine what opt-in and opt-out rights you will be required to give to consumers.
  • Consider an internal process for sending deletion requests to all third parties to which you have disclosed personal information, not only your service providers (CA).




  • Update your Privacy Notices in accordance with CPRA and VCDPA.
  • Update (or prepare) a Privacy Notice to employees in accordance with the CPRA.
  • Update your internal procedure to process individual requests in accordance with the CPRA and VCDPA, and add an appeals process.
  • Update your internal CCPA training materials to conform to the CPRA and VCDPA.
  • Identify what your business does that requires a data protection assessment (VA) or a risk assessment (CA), prepare assessment templates, and conduct any required assessments.
  • Review your financial incentive programs for compliance with CPRA and VCDPA.


Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.