The California Consumer Privacy Act + Other State Consumer Privacy Laws

Featured Webinar

Take Notice: Exploring the Impacts of new U.S. State Laws on Companies' Privacy Disclosures

Join Morrison & Foerster’s Global Privacy + Data Security Group for our masterclass webinar, “Take Notice: Exploring the Impacts of New U.S. State Laws on Companies’ Privacy Disclosures.”


Less than a year after the CCPA became operative, California voters significantly expanded it by approving Proposition 24, the California Privacy Rights Act (CPRA), on Election Day 2020. The CPRA, which will become operative on January 1, 2023, imposes additional compliance obligations on covered businesses, including by giving consumers the right to request correction of their PI, creating new protections for “sensitive personal information,” and requiring even more detailed privacy notices, among other changes.

Since the CCPA’s passage, more than 30 other state legislatures have introduced comprehensive consumer privacy bills in various forms. In March 2021, Virginia became the next domino to fall with the enactment of the Virginia Consumer Data Protection Act (VCDPA), which will become operative on January 1, 2023. In addition to granting Virginia consumers individual rights of access, correction, deletion, and opt-out from sale of PI, the VCDPA also requires covered businesses to limit their collection of consumers’ PI, perform data protection assessments for certain processing activities, and establish procedures by which consumers may appeal denials of their requests. Unlike the CCPA, the VCDPA does not provide for a private right of action by which consumers may sue for violations, but instead grants the Virginia Attorney General exclusive enforcement authority.

Our team has been closely monitoring developments related to the CCPA, CPRA, VCDPA, and similar pending state bills across the U.S., and we have written and presented extensively on these laws and their practical implications. We are providing the resources on this page as an overview to help companies identify their obligations, track legislative and enforcement trends, and ultimately mitigate risk.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.