Staying Ahead of State Privacy Laws: A CPA Firm's Challenge

State privacy laws are evolving fast. California’s CCPA, Virginia’s CDPA, and other similar regulations are rewriting how firms handle personal data. For CPA firms, this is not just about ticking legal boxes—it’s about maintaining trust and avoiding costly missteps.

Each law brings unique definitions and expectations. What one state considers "personal data" might differ from another. Some mandate encryption, others limit access, or demand data deletion upon request.

That’s a tall order for any firm, especially for CPAs who are already deep into client work, tax prep, and audit deadlines.

Examples of Privacy Laws as of September 2025

For CPA firms operating across multiple states, privacy regulations continue to become increasingly complex. Understanding which laws apply and their specific requirements is critical to maintaining compliance and protecting client data.

Here are several key privacy laws active as of September 2025:

• California Privacy Rights Act (CPRA): Strengthens the original CCPA with stricter rules around sensitive data, opt-outs, and transparency. Enforced by the California Privacy Protection Agency.
• Virginia Consumer Data Protection Act (VCDPA): Grants consumers the right to access, delete, and correct their data. Requires firms to conduct data protection assessments for high-risk processing.
• Colorado Privacy Act (CPA): Introduces consumer opt-out rights and mandates security measures for personal data.
• Connecticut Data Privacy Act (CTDPA): This act includes protections for children, data portability, and detailed transparency obligations for data controllers.
• Delaware Personal Data Privacy Act (DPDPA): Effective January 2025, this law limits the processing of sensitive data and mandates opt-in consent for minors under 18.
• Iowa Consumer Data Protection Act (ICDPA): Establishes data rights for consumers and business responsibilities, including clear privacy notices and secure data handling.
• Maryland Online Data Privacy Act (MODPA): Going into effect in October 2025, MODPA adds restrictions on the use of sensitive data and empowers consumers with broader control over their personal data.
• Nebraska Data Privacy Act (NDPA): This act focuses on consumer rights to access, correction, and deletion and includes clear opt-out mechanisms for targeted advertising.

The Real Cost of Falling Behind

Let’s say your firm operates across several states. Each has its own privacy law on the books or in the works. Without clear internal policies and secure systems, it becomes nearly impossible to stay compliant.

You may encounter requests for data deletion, portability, or proof of security controls. If your systems and processes can’t respond appropriately, you risk penalties, reputational harm, or worse—a data breach.

Even minor security gaps, such as weak passwords or untracked user access, can have major consequences. And once trust is lost, it's hard to regain.

From Awareness to Action: Why Infrastructure Matters

Recognizing the risks of falling behind on privacy compliance is one thing. Translating that awareness into concrete, secure, and scalable systems that protect your firm and your clients is another challenge.

That’s where technology becomes critical.

You need more than just policies on paper—you need infrastructure that supports those policies. Systems that enforce access controls, encrypt sensitive data, and track user activity aren't just nice to have—they're essential.

Cetrom supports firms in translating compliance needs into technical action.

Compliance-Ready Infrastructure On Demand

While Cetrom doesn’t monitor or enforce state-specific privacy laws for clients, we provide the technical foundation to help your firm meet federal and industry-wide regulatory standards—including the FTC Safeguards Rule, GLBA, and other national security requirements.

Our cloud infrastructure includes:

• Multi-Factor Authentication (MFA)
• Secure remote access with Cetrom Connect
• End-to-end encryption
• Centralized audit logs
• Role-based access management
• Automated backup and disaster recovery
  
  

These tools don’t make you compliant automatically—but they enable your firm to comply with security and privacy regulations efficiently. As part of our built-in Virtual CIO (vCIO) service, we advise your team on how to leverage these systems as part of your internal compliance plan.

IRS Compliance and Cybersecurity Responsibilities

The IRS reminds all tax professionals that they are targets for sophisticated cybercriminals—and that protecting client data is a legal obligation.

In their “Protect Your Clients, Protect Yourself” campaign, the IRS outlines essential responsibilities for tax preparers, including:

• Implementing written data security plans
• Protecting client information from breaches and theft
• Following the FTC’s Safeguards Rule for cybersecurity
  
  

We strongly encourage firms to review:

• IRS Publication 4557: Safeguarding Taxpayer Data
• IRS Publication 5293: Data Theft Resource Guide

Cetrom helps firms implement the technologies that support these regulations, including encrypted communications, secure remote access, and robust system monitoring. But your firm remains responsible for creating and maintaining formal compliance policies.

Stay ahead by registering for IRS e-News for Tax Professionals and QuickAlerts to get timely updates on evolving threats.

Why Cetrom Is Built for CPAs

Unlike general IT providers, Cetrom is purpose-built for CPA firms. We understand the industry-specific software you use—like ProSystem fx, CCH, QuickBooks, and Lacerte—and the compliance requirements that come with handling sensitive client data.

Our goal is simple: Help your firm maintain secure, accessible, and compliant-ready systems so your team can stay focused on serving clients, not troubleshooting tech.

Take the Next Step Toward Compliance

If your IT systems haven’t been evaluated for compliance readiness, now is the time. Here’s how Cetrom can help:

• Contact us today to discuss your IT solutions
• Leverage our vCIO services for compliance guidance and IT strategy
• Explore our CPA cloud hosting solutions designed for performance and security

Final Thought: Compliance Starts with Preparation

Compliance isn’t a one-time task—it’s an ongoing process. With privacy laws and cybersecurity threats evolving quickly, you need more than just strong systems. You need a partner who’s ready to support you every step of the way.

Cetrom helps ensure your IT foundation supports security — so your firm has a runway for compliance, confidence, and client focus.

Final Thought: Compliance Isn’t Optional

In today’s data-driven world, privacy compliance isn’t a checklist—it’s a living process. With laws shifting with the political climate, your firm needs a technology partner that moves just as fast.