California leads pack of new privacy requirements

ARTICLE | March 23, 2023

Authored by RSM US LLP

The recent expiration of exemptions in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requires more companies that do business in California to meet stricter privacy requirements. California has started a cascade of copycat or new state-level privacy laws and regulations that organizations may also need to comply with. With the privacy landscape becoming more complex, companies need to evaluate how they address privacy and consider taking a more comprehensive approach.

New California privacy laws go into effect

The CCPA, signed into law in 2018, is designed to give Californians control over their personal data and has served as a blueprint for privacy requirements in additional states. The requirements have provided Californians with several privacy rights, including the right to access their personal data, have businesses delete their personal data, prevent the sale of their personal data, and initiate lawsuits following personal data breaches.

As of Jan. 1, 2023, these rights extend to job applicants and employees, and may apply to the personal data of employees’ spouses, spousal equivalents, dependents and beneficiaries. The provisions also protect personal data collected in business-to-business (B2B) transactions. California residents are the first to be covered under such a comprehensive privacy law and regulation at the state level.

In addition, the CPRA came into effect Jan. 1, 2023, serving as an amendment and extension of the CCPA, and includes additional consumer rights, such as the right to ensure a business corrects inaccurate personal data, the right to opt out of automated decision-making, and the right to limit an organization’s use of sensitive personal data.

If these new rights are not incorporated into an existing privacy program and operationalized, then noncompliant organizations may face regulatory scrutiny from the California Privacy Protection Agency (CPPA), the agency responsible for enforcement. Such enforcement actions may result in fines or other financial impacts and immeasurable reputational harm.

Failure to comply with the CCPA/CPRA can result in monetary penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. Some settlements have already surpassed $1 million, and settlements are likely to become larger and more frequent. Additionally, consumers may decide to act if their personal data is exposed and not adequately protected or recognized by an organization, resulting in additional lawsuits, potential payouts and legal expenses.

While California is in the spotlight, many more privacy requirements are on the horizon. Companies cannot lose sight of other state laws and regulations that will go into effect soon and have similar consequences for noncompliance.

Only the beginning

While California is in the spotlight because it is the most recent state to enact a privacy law and regulation, many more privacy requirements are on the horizon. Companies cannot lose sight of other state laws and regulations that will go into effect soon and have similar consequences for noncompliance. In 2023 alone, new privacy requirements will commence in Colorado, Connecticut, Utah and Virginia in addition to California.

Other states are sure to follow suit due to privacy becoming a critical issue in recent years, and momentum is not slowing. For example, Indiana, Iowa, New Hampshire, and Texas have all introduced bills—some of which are already under committee review. The Texas law, in particular, leverages the language of the Virginia requirements, which appear to be the trend at the state level.

State laws and regulations


Effective date

California Consumer Privacy Act (CCPA)


Jan. 1, 2020, with the exception of personal data of California resident job applicants and employees and collected in B2B transactions, for which the effective date is Jan. 1, 2023

California Privacy Rights Act (CPRA)


Jan. 1, 2023

Colorado Privacy Act (CPA)


July 1, 2023

Connecticut Data Privacy Act (CTDPA)


July 1, 2023

Utah Consumer Privacy Act (UCPA)


Dec. 31, 2023

Virginia Consumer Data Protection Act (VCDPA)


Jan. 1, 2023

A consistent approach to privacy

Many of these state privacy requirements have a similar blueprint, with best-practice policies and procedures designed to protect a resident’s privacy. Instead of handling each of these requirements on an ad hoc, state-by-state basis as they go into effect, a more effective and efficient approach is to implement privacy requirements up front that can be anticipatory and future-proofed in their approach.

Taking a proactive privacy stance and focusing on the operationalizing of personal data governance helps companies stay ahead of compliance obligations, reducing stress on internal processes and personnel as new laws and regulations also commence. This “design and build once for many” framework can anticipate and meet the needs of rapidly evolving privacy frameworks both within the United States and globally.

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Alison Brunelle, Jack Harding and originally appeared on 2023-03-23.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: