This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: The new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will be operative on January 1, 2023. That seems like a lot of time to prepare, and the CPRA regulations are not out yet. When should I begin, and how can I phase out the work over 2021 and 2022?
There are several good reasons not to wait to begin preparing for the CPRA and VCDPA.
One, there are several new requirements under these laws that will require coordination among legal, information technology, marketing, and other business units, which takes time.
Two, there are several new requirements that require changes to back-end practices, which take time to decide upon and implement.
Three, working on these laws over the course of 2021 and 2022 allows you to spread the budget across two years.
Four, no one enjoys the ninth-hour rush that comes from leaving things to the last minute.
To help businesses phase the CPRA and VCDPA work over 2021 and 2022, we suggest this order of priorities:
Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.