Upcoming Data Privacy Regulations: What you can do to prepare

Complying with California Privacy Regulation Act (CPRA), Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) are likely key privacy priorities for many this year. Uncertainty about the regulations and their impact can make this seem more daunting. What are some things we can do prepare while waiting for the regulations to take effect? We recently had an illuminating conversation with Lauren Kitces (https://www.linkedin.com/in/laurenkitces) on how to prepare for the upcoming regulations.


  1. Alignment is key: The most practical first step is making sure that everyone within the organization is aligned on the big picture. This includes the company's privacy vision and goals and a clear understanding of the prevailing regulations. Set up informative conversations and communications about privacy that can reach the breadth of your organization. The vision and alignment can guide your overall efforts.

  2. Adaptability and flexibility: Upcoming regulations have not yet been finalized and nothing has been set in stone yet. For example, the CPRA rules can be expected to be detailed and extensive but will not be published till June 2022. Similarly, the Colorado Attorney General’s office announced they will start rule making on a number of topics including dark patterns. Build flexibility with your programs and be ready to refine your strategies as the regulatory landscape gets more clearer. Continue to maintain regular communication with stakeholders about the anticipated changes.

  3. Know your current status: Know your current data environment and the processes you have in place for privacy compliance. Be aware of the culture within your organization around privacy and change management.

  4. Choose the path that best suits you: It will be impossible to build separate programs for each jurisdiction. You will have to flex your privacy program to accommodate the nuances of the different regulations. Think about the aspects of your program that you will want to flex and how. As an example, in handling DSAR based on state of residence, your choices may be to develop separate processes for each state or having a common process that might deal with individual requests from different states on a one-off basis. The approach you take may depend on your customer base and different approaches may have different costs, advantages and disadvantages. Think about the approach that would best suit your company.

  5. Lookback period: An important fact to keep in mind is that look back period for the CPRA starts Jan 1 2022. This means that all the data you deal with from this date falls under the scope of various requests that can be submitted once the law goes into effect in June 2023. Identify areas where you may have more challenges to comply and start making changes in these areas sooner than other areas.

While the new laws do impose additional privacy burdens, they offer an opportunity to pause, step back, reevaluate options and look at what makes sense in the long run. They also reinforce that Privacy compliance is here to stay. Use the next few months to gain as much knowledge as you can about the new laws, evaluate your business processes and chart the privacy compliance trajectory for your company.