Update on the CPRA Regulations

On February 3, 2023, the California Privacy Protection Agency Board (“Board”) voted unanimously to approve and adopt the Agency’s California Privacy Rights Act (“CPRA”) rulemaking package. This regulatory package includes a Final Statement of Reasons, a redlined document encapsulating the Final Regulations, as well as two documents containing a summary and responses to comments on the draft CPRA Regulations that were received during the 45-day and 15-day comment periods, respectively. Please note that the Final Regulations are virtually unchanged in any substantive way from the version that was published in November 2022. 

Process for Approval of Final CPRA Regulations

At this point in the regulatory process, the approved Final Regulations will be sent to the Office of Administrative Law (“OAL”) within the next two weeks. From there, the OAL will have 30 business days to review the CPRA Regulations and determine whether to approve them for implementation. While the CPPA’s website indicates that the earliest effective date for the Final Regulations would be April 2023, that date is subject to change. 

Proposed Rulemaking for New Privacy Topics

At the same Board meeting, a subcommittee presented an Invitation for Preliminary Comments on Proposed Rulemaking for new rules on the following three topics: 1) risk assessments; 2) cybersecurity audits; and 3) automated decision-making. The subcommittee prepared a draft for Board members to consider and comment on, posing pointed questions for public feedback. The draft includes a comprehensive set of questions that reflect the seriousness with which the Board is taking the crafting of regulations for risk assessments, cybersecurity audits, and automated decision-making. Subcommittee staff noted that public comments will be extremely helpful on these topics. The Board approved dissemination of the draft to be released to the public within 45 days. 

Next Steps in the CPRA Regulation Process

As we eagerly await the promulgation of the Final Regulations, we know that there is widespread concern and uncertainty as to how best to comply with existing regulations. In the interim, one of the most effective ways to ensure compliance during this state of flux is to discuss your company’s regulatory efforts with an experienced privacy attorney. 

If you are interested in working with a law firm that is focused on this rapidly-changing regulatory landscape, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney.  Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Photo by Markus Spiske on Unsplash

Related Blog Posts:

The Latest On CPRA Regulations

First Major CCPA Violation Enforcement Action Announced!

UCPA Compliance: Using CCPA Compliance Efforts To Prepare For The Utah Consumer Privacy Act


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »