top of page
  • Writer's pictureKate Kliebert

4 More States Join the CCPA: Comprehensive Privacy Law

4 more states have joined the CCPA - —Colorado, Connecticut, Utah and Virginia—have now also enacted comprehensive consumer data privacy laws that were first adopted by only the state of California.

As a reminder, the CCPA became effective in January 2020 and was the first comprehensive privacy law in the United States. It gave consumers in California rights they did not previously have, including the right to access any personal information businesses have stored about them, the right to request the companies delete their personal information, and the right to opt-out of the sale of their personal information. Amendments to the CCPA are coming January 1, 2023. One of the biggest changes is that companies will no longer have the right to cure violations of the law before being fined for noncompliance.

The laws in Colorado, Connecticut, Utah, and Virginia are not as broad as California’s, but the trend is clear. Consumers are now afforded more rights – and as a company you must know that these laws are in effect.

Do these laws apply to your business?

It’s not always easy to figure out which of these laws your business must follow. The rules are different in each state. Generally they kick in once your business process or controls data on a certain number of consumers, sells data on a certain number of consumers, or reaches a certain revenue threshold. But remember – even if these laws don’t apply to your business, you may be contractually obligated to follow them if you provide services to bigger companies that do need to comply. What do if a customer asks you to delete their info? First, have a mechanism in place for receiving and tracking requests. You will need to confirm receipt of the request quickly once it is received. Then start with a conversation with your IT department, as they know where your data is stored. This type of information is often stored across multiple databases and systems, and you will need to make sure to identify and search them all. Give the person responsible for handling these requests the persons information and make sure that all their personal info is deleted. This information would include their name, address, phone number, email address and any other info you collected based on their cookie tracking storage. You should also notify any service providers who may have the consumer’s information of the request. Make sure to keep records of where you have searched and deleted information in case you need to prove compliance down the road. Finally, you should notify the consumer that their request is complete.

What types of companies sell personal information?

· Data Brokers

· Acxiom

· Advantage Credit


· BeenVerified

· Cortera

· Equifax

· Experian

What types of companies/products store data?

· Mail Chimp

· Constant Contact

· Databases

· Third Party CRMS

What is definition of comprehensive consumer data privacy law?

Comprehensive privacy laws outline what businesses can and cannot do when collecting and using a consumer’s personal information. They also give consumers certain rights with respect to their information after it is obtained. The CCPA, for example, requires business privacy policies to include information on consumers' privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.

In some cases, you can stay out of trouble if you practice these simple principles: transparency, legitimate purpose, and proportionality. If you company needs help creating your company’s privacy policy documents or maybe, you just need to review what your company is telling its customers they are doing with their personal data – our audit might be right for you. Most owners just don’t know so give us a call today and get your audit complete before the end of 2022.

Someone has the right to ask you to delete info on them. People are getting more rights and you need to be ready!


bottom of page