Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Key privacy notice disclosures under comprehensive California, Colorado and Virginia laws effective 2023

By Michael Young
privacy-freepik1170x658v68.jpg
June 8, 2022

California, Colorado and Virginia have enacted comprehensive laws governing consumer privacy. These laws will be effective in 2023. This document outlines certain key content that may be required under these laws in website privacy notices, with an emphasis on new requirements not part of existing laws. Thus, these requirements may require revisions or updates to existing notices.  


Privacy notices should reflect rights available under each state’s law. These include the following:


  • Virginia’s Consumer Data Protection Act (CDPA) gives consumers a right to know whether a controller is processing the consumer’s personal data, the right to access personal data processed by the controller, the right to correct, the right to delete, the right to data portability, and right to opt-out of targeted advertising, the sale of personal data or profiling having legal or significant effects (such as the ability to obtain loans, housing, education, health care, or the like). The business must also provide a right of appeal with respect to the exercise of other rights. If the appeal is denied, Virginia controllers must provide the consumer with an online mechanism to contact the Virginia Attorney General, and Colorado controllers are required to inform consumers of their right to contact the Colorado Attorney General about the results of the appeal. 


  • Colorado’s CPA (CPA) gives consumers the right to access, the right to delete, the right to data portability, and the right to opt-out of targeted advertising, the sale of personal data, or profiling via a universal opt-out mechanism. In addition, an appeal process must be “conspicuously available” and easily usable by consumers. 


  • California’s Privacy Rights Act (CPRA) gives consumers a right to know what personal information is being collected, the right to access personal information, the right to know what personal information is sold or shared and to whom, the right to correct, the right to delete, right to data portability, right to opt-out of the sale of information, right to opt-out of “sharing” of personal information, and the right to limit use and disclosure of sensitive personal information. (“Sharing” is a defined term in the law that appears to limit online behavioral advertising. “Sensitive” personal information includes information such as SSN, financial account, precise geolocation data, racial and ethnic orientation, labor union affiliation, and genetic, biometric, and health data.)

 

Other disclosures that need to be expanded regarding the collection and sharing of information:

  • Virginia controllers are required to provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including appeal of a controller’s decision; (4) categories of personal data shared with third parties; and (5) categories of third parties with whom the controller shares personal data. We have emphasized (4) and (5) in this list as potentially requiring expanded detail in comparison to the current notice. 

 

  • Businesses subject to the Colorado law must similarly indicate (1) the categories of personal data collected or processed, (2) the purpose for processing such categories of personal data, (3) how the consumer may exercise rights, including appeal, (4) the categories of personal data shared with third parties, if any, and (5) the categories of third parties, if any, with whom the controller shared personal data.   


As one potential approach for meeting these requirements, the business might consider including a chart within its website privacy notice that breaks down required information for each category of personal data, including:


  1. Identify the retention period for data sharing. Under California’s law, businesses must identify their retention period for the categories of data they collect. 
  2. Consider presenting an additional heightened form of initial notice separate from the main website privacy notice. Under Colorado’s law, “clear and conspicuous” notice is required regarding the sale of personal data or data processing for targeted advertising. Under California’s law, an initial notice provided “at or before the point of collection” must indicate the categories of sensitive information collected, the purpose for such collection, and whether such information is sold or shared. Such initial notice must also indicate retention periods for each category of information collected and indicate relevant opt-out rights to the consumer. 
  3. Regulatory guidance interpreting these requirements is pending, and we note that there are no established commercial practices with respect to these new requirements. However, possibly, the business may want to consider providing a short-form notice presented when an individual first accesses the website with relevant disclosures and/or linking to more complete disclosures in a longer notice. 
  4. Include ‘Deidentified Data’ Commitments Under Virginia Law. Virginia’s law requires the business to provide a ‘public commitment’ regarding the use of de-identified data. As part of such commitment, the business must publicly commit not to re-identify such data.
KEYWORDS: cyber security data privacy data protection risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Michael Young is a Cybersecurity & Privacy attorney with Morris, Manning, & Martin, LLP.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Top Cybersecurity Leaders
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Medical professional

Nearly 85% of Nurses Experienced Workplace Violence in the Last Year

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • data-law-freepik1170x658.jpg

    Amendments proposed to Virginia Consumer Data Protection Act

    See More
  • 5 mins with

    5 minutes with David Bodnick - Is the California Privacy Rights Act (CPRA) effective?

    See More
  • privacy freepik

    CPRA update: Board appointments announced for California Privacy Protection Agency

    See More

Related Products

See More Products
  • 9780128147948.jpg

    Effective Security Management, 7th Edition

  • effective.jpg

    Effective Physical Security, 5th Edition

  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing