lead supervisory authority in an EEA member state, we would not be able to benefit from the GDPR’s ‘one stop shop’ mechanism. Amongst other things, this would mean that, in the event of a violation of the GDPR affecting data subjects across the United Kingdom and the EEA, we could be investigated by, and ultimately fined by the United Kingdom Information Commissioner’s Office and the supervisory authority in each and every EEA member state where data subjects have been affected by such violation.
In the United States, numerous federal and state laws and regulations, including state personal information laws, state data breach notification laws, and federal and state consumer protection laws and regulations govern the collection, use, disclosure and protection of personal information. For example, sthe California Consumer Privacy Act, or CCPA, went into effect on January 1, 2020. The CCPA creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information of consumers or households. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. While there is currently an exception for protected health information that is subject to HIPAA and clinical trial regulations, as currently written, the CCPA may impact certain of our business activities and may increase our compliance costs and potential liability.
Additionally, California voters approved a new privacy law, the California Privacy Rights Act, or CPRA, in the November 3, 2020 election. Effective starting on January 1, 2023, the CPRA will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. In addition, other states have enacted or proposed data privacy laws. For example, , Virginia passed the Consumer Data Protection Act, or the VCDPA, effective January 1, 2023;, Colorado recently passed the Privacy Rights Act, or the CPA, effective July 1, 2023; Connecticut passed the Data Privacy Act, or CDPA, effective July 1, 2023; and Utah recently passed the Consumer Privacy Act, or the UCPA, effective December 31, 2023. These laws demonstrate our vulnerability to the evolving regulatory environment related to personal information and make it difficult to predict the impact of such laws on our business or operations. The CPA and CDPA are similar to the CCPA and CPRA but aspects of these state privacy statutes remain unclear, resulting in further legal uncertainty and potentially requiring us to modify our data practices and policies and to incur substantial additional costs and expenses in an effort to comply.
In addition to the foregoing, any breach of privacy laws or data security laws, particularly resulting in a significant security incident or breach involving the misappropriation, loss or other unauthorized use or disclosure of sensitive or confidential patient or consumer information, could have a material adverse effect on our business, reputation and financial condition. As a data controller (under the GDPR) or business (under the CCPA), we will be accountable for any third-party service providers we engage to process personal data on our behalf, including our CROs. We attempt to mitigate the associated risks but there is no assurance that privacy and security-related safeguards will protect us from all risks associated with the third-party processing, storage and transmission of such information.
New legislation proposed or enacted in Illinois, Massachusetts, Nevada, New Jersey, New York, Rhode Island, Washington and other states, and a proposed right to privacy amendment to the Vermont Constitution, imposes, or has the potential to impose, additional obligations on companies that process confidential, sensitive and personal information, and will continue to shape the data privacy environment nationally. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we would become subject if it is enacted. All of these evolving compliance and operational requirements, including the requirement to comply with GDPR, CCPA, CPRA, VDCPA, CDPA, CPA, UCPA or other laws, regulations, amendments to or re-interpretations of existing laws and regulations, and contractual or other obligations relating to privacy, data protection, data transfers, data localization, or information security may impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects, modify our data practices and policies, restrict our business operations, and could restrict the way products and services involving data are