On February 3, 2023, the California Privacy Protection Agency Board (“Board”) voted unanimously to approve and adopt the Agency’s California Privacy Rights Act (“CPRA”) rulemaking package. This regulatory package includes a Final Statement of Reasons, a redlined document encapsulating the Final Regulations, as well as two documents containing a summary and responses to comments on the draft CPRA Regulations that were received during the 45-day and 15-day comment periods, respectively. Please note that the Final Regulations are virtually unchanged in any substantive way from the version that was published in November 2022.
Process for Approval of Final CPRA Regulations
At this point in the regulatory process, the approved Final Regulations will be sent to the Office of Administrative Law (“OAL”) within the next two weeks. From there, the OAL will have 30 business days to review the CPRA Regulations and determine whether to approve them for implementation. While the CPPA’s website indicates that the earliest effective date for the Final Regulations would be April 2023, that date is subject to change.
Proposed Rulemaking for New Privacy Topics
At the same Board meeting, a subcommittee presented an Invitation for Preliminary Comments on Proposed Rulemaking for new rules on the following three topics: 1) risk assessments; 2) cybersecurity audits; and 3) automated decision-making. The subcommittee prepared a draft for Board members to consider and comment on, posing pointed questions for public feedback. The draft includes a comprehensive set of questions that reflect the seriousness with which the Board is taking the crafting of regulations for risk assessments, cybersecurity audits, and automated decision-making. Subcommittee staff noted that public comments will be extremely helpful on these topics. The Board approved dissemination of the draft to be released to the public within 45 days.
Next Steps in the CPRA Regulation Process
As we eagerly await the promulgation of the Final Regulations, we know that there is widespread concern and uncertainty as to how best to comply with existing regulations. In the interim, one of the most effective ways to ensure compliance during this state of flux is to discuss your company’s regulatory efforts with an experienced privacy attorney.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: