As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in recognition of the consumer rights created by each of the Acts. As a result, businesses need to ensure that their policies and practices are adjusted to address the increased privacy risk.

The Virginia Consumer Data Protection Act (“VCDPA”) will go into effect on January 1, 2023. This statute requires companies who operate in Virginia or target Virginia consumers (whether or not the company is located in Virginia) and collect personal information from more than 100,000 Virginia consumers annually to meet certain cybersecurity requirements and to offer certain privacy rights to those consumers, such as the right to opt-out. For more specifics on the VCDPA read on here.

The California Privacy Rights Act (“CPRA”) also goes into effect on January 1, 2023. This statute applies to any business that collects the personal information of a California resident if that business meets one of the following three criteria:  (1) had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year; (2) alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers or, households; or (3) derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.  These businesses must meet certain disclosure and cybersecurity requirements and must offer certain privacy rights to those consumers.  Subject to certain exceptions, these rights include the right by the consumers to know what information is collected about them, the rights to correct and delete their personal information, the right to opt-out of the sale or sharing of their personal information and the right to limit the use of their sensitive personal information.  Read on for more specifics on the CPRA here.

Our Data Privacy & Security team can assist with drafting privacy policies that are consistent with the Virginia CDPA and the CPRA. Contact us today to learn more.