The California Privacy Rights Act Leads the Way on Wave of State Privacy Legislation

Privacy, cybersecurity and data strategy partner Ken Dort and associate Mitchell Noordyke coauthored an article for The Review of Securities & Commodities Regulation that discusses the California Privacy Rights Act (CPRA), which takes effect on January 1, 2023, and creates new rights for consumers and new obligations for covered businesses.

In the article, the authors describe various changes the CPRA has made to existing privacy law, including the first state privacy agency in the U.S., automated decision-making disclosures, new entity designations, broader notification obligations, data minimization and storage limits, regulation of data “sharing,” and enhanced consumer rights.

The authors conclude by comparing the CPRA with new privacy laws in Virginia, Colorado and Utah. They note that the details and nuanced differences between them will require careful review to ensure compliance with each statute as applicable.

The full article is available for The Review of Securities & Commodities Regulation subscribers.