Watch the recording of our webinar about preparing for changes to the California Privacy Rights Act, featuring Morrison & Foerster partner Julie O’Neill and associate Cecillia Xie.
Less than a year after the CCPA became operative, California voters significantly expanded it by approving Proposition 24, the California Privacy Rights Act (CPRA), on Election Day 2020. The CPRA, which will become operative on January 1, 2023, imposes additional compliance obligations on covered businesses, including by giving consumers the right to request correction of their PI, creating new protections for “sensitive personal information,” and requiring even more detailed privacy notices, among other changes.
Since the CCPA’s passage, more than 30 other state legislatures have introduced comprehensive consumer privacy bills in various forms. In March 2021, Virginia became the next domino to fall with the enactment of the Virginia Consumer Data Protection Act (VCDPA), which will become operative on January 1, 2023. In addition to granting Virginia consumers individual rights of access, correction, deletion, and opt-out from sale of PI, the VCDPA also requires covered businesses to limit their collection of consumers’ PI, perform data protection assessments for certain processing activities, and establish procedures by which consumers may appeal denials of their requests. Unlike the CCPA, the VCDPA does not provide for a private right of action by which consumers may sue for violations, but instead grants the Virginia Attorney General exclusive enforcement authority.
Our team has been closely monitoring developments related to the CCPA, CPRA, VCDPA, and similar pending state bills across the U.S., and we have written and presented extensively on these laws and their practical implications. We are providing the resources on this page as an overview to help companies identify their obligations, track legislative and enforcement trends, and ultimately mitigate risk.