California and United States Privacy Laws Questions

Comprehensive knowledge of the California Consumer Privacy Act and its amendment the California Privacy Rights Act, including scope and applicability to for profit businesses that collect or process personal information of California residents and meet statutory thresholds based on revenue, volume of data, or percentage of revenue derived from sale of personal information. Candidates should be familiar with the core consumer rights these laws create, including the right to know what personal information is collected and disclosed, the right to access and obtain a copy of personal information, the right to deletion, the right to data portability, the right to opt out of sale or sharing of personal information, special protections and opt in requirements for minors, and the right to limit use and disclosure of sensitive personal information. Understand business obligations such as notice at collection, transparent privacy policies, mechanisms to honor opt out and opt in requests, data mapping and inventory, handling of consumer privacy requests, vendor and service provider contractual obligations, recordkeeping, reasonable security safeguards, breach notification, privacy by design and impact assessment practices, and the role of enforcement authorities including the state attorney general and the newly created California Privacy Protection Agency. Include awareness of the limited private right of action that applies in specific data breach scenarios and how enforcement evolved under the amendment. Broaden this knowledge to the wider United States state privacy landscape, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Montana Consumer Data Privacy Act, noting key differences and alignments such as differing thresholds, exemptions, definitions of personal information, scope of consumer rights, enforcement models, and timelines for implementation. Be prepared to compare and contrast the California framework with the General Data Protection Regulation, for example differences in lawful basis for processing, opt in versus opt out models, supervisory authority and enforcement structures, extraterritorial scope, and practical compliance implications for multinational and multi state operations. Interviewers may probe practical implementation strategies such as building data subject request processes, consent and opt out user flows, data inventories, vendor management clauses, retention and purpose limitation policies, and how to operationalize regulatory changes across a complex organizational footprint.