New U.S. State Privacy Laws: 10 Ways Companies Should Prepare


Organizations should be mindful of the 2023 effective dates of several new state privacy laws in the U.S. Companies should review the new laws to evaluate their applicability and identify potential enhancements to compliance programs. Upcoming effective dates include:

  • California Privacy Rights Act (CPRA): January 1, 2023
  • Virginia Consumer Data Protection Act (VCDPA): January 1, 2023
  • Colorado Privacy Act (CPA): July 1, 2023
  • Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA): July 1, 2023
  • Utah Consumer Privacy Act (UCPA): December 31, 2023

Here are 10 steps companies should consider taking to prepare for the new state privacy laws:

  1. Update data inventories (e.g., identify any sensitive personal information processing and/or the use of profiling, capture all business-to-business data processing to account for the expiration of the California Consumer Privacy Act’s (CCPA) business-to-business exemptions).
  2. Once finalized, use the output of the data inventories to determine the scope and applicability of new state privacy laws.
  3. Leverage updated data inventories to revise privacy notices before January 1, 2023, along with vendor contracts, as needed, to address any new role designations and contracting requirements.
  4. Implement a process to conduct diligence and a risk assessment on vendors with access to sensitive personal information.
  5. Determine if the rights granted to individuals will be based on jurisdictional legal requirements or apply to all individuals, regardless of state of residence.
  6. Develop consent and opt-out mechanisms for revised and new consumer rights (e.g., Profiling, Do Not “Sell,” Do Not “Share,” Do Not Use “Sensitive PI,” Do Not Use “Automated Decision-Making”) and make applicable changes to websites, apps, and related online properties to address these new obligations.
  7. Update internal policies to address the revised and new consumer rights; train staff accordingly.
  8. To the extent deidentified data is used, implement reasonable measures to ensure the information cannot be associated with a consumer (or household), publicly commit to maintain and use the information in deidentified form and do not attempt to reidentify the information, and contractually obligate recipients of deidentified data to comply with these restrictions.
  9. Review the organization’s security posture, identify potential security enhancements and prepare for cybersecurity audit and risk assessment requirements.
  10. Because the CPRA will eliminate the thirty-day cure period originally permitted under the CCPA, implement written policies and procedures, and document ongoing privacy program activities and tracking metrics to be able to demonstrate compliance with state privacy laws and regulations.

If you need help updating your compliance program to address the state privacy laws, contact a member of Orrick’s Cyber, Privacy and Data Innovation Group or see our U.S. State Consumer Privacy Guide. To receive updates on the State Privacy Laws, and other global privacy and cybersecurity developments, please sign up here.