As readers of our blog know, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect on January 1, 2022, with the aim of affording consumers “more control” over what companies can do with their personal information. In an effort to further strengthen consumer rights, in November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). The CPRA regulations will take effect and amend several portions of the CCPA on January 1, 2023. One of the most important changes is that the 30-day grace period to rectify CCPA violations will no longer exist. In fact, under the CPRA, businesses will be subject to civil penalties immediately after the Attorney General has deemed them to be in violation of the statute.
CPPA Board Met Last Week to Discuss CPRA Regulations Rollout
The CPRA established a new agency, the California Privacy Protection Agency (“CPPA”) to implement and enforce the law. The CPPA is governed by a five-member Board, which met most recently on December 16, 2022. Businesses and attorneys across the country have been eagerly awaiting the outcome of this meeting with the hope of obtaining meaningful guidance on how to comply with the new CPRA regulations. However, it appears that any significant CPPA compliance direction from the state agency has been pushed back yet again. At the meeting, CPPA Executive Director Ashkan Soltani indicated that the final rules will likely be released in late January. Keep in mind that once the final rules are released, there is still a 30-day review period that will follow, to be conducted by the California Office of Administrative Law. Pursuant to this timeline, the CPPA expects that the final CPRA regulations will be set in stone by April 2023. Notwithstanding the foregoing, as stated by the International Association of Privacy Professionals (“IAPP”), “[t]he Board said existing regulations will be in effect until the final regulations are approved.”
Board Identified Three Areas of CPRA Regulations That Need More Feedback
At the meeting, the Board conveyed two of its most basic goals: 1) providing compliance guidance to businesses, and; 2) providing privacy rights to consumers. In that spirit, the subcommittee identified three areas of the CPRA regulations that would benefit from additional feedback and public comment. They include risk assessments, cybersecurity audits, and automated decisionmaking. Within each category, the subcommittee prepared additional topics on which they seek more input. Once they receive feedback, the Board will be able to make more informed decisions as to how to finalize the regulations.
How Best to Comply with CPRA Regulations
Here we are less than two weeks prior to the CPRA effective date, and we had expected to have clear answers by now on how to comply with the CPRA regulations. As the industry eagerly awaits the final regulations, we know that there is widespread concern and uncertainty as to how best to comply with existing regulations. In the interim, one of the most effective ways to ensure compliance during this state of flux is to discuss your company’s regulatory efforts with an experienced privacy attorney.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: