The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.

This is a challenge for any business, even those that have worked to comply with existing laws—the CCPA and the EU’s General Data Protection Regulation—and best practices. It’s not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just weeks into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.