Your FAQs About 2023 Privacy Compliance Answered

January 13, 2023

This week, we’ve answered some of the most common queries we’ve heard recently about privacy in California. 


Q: What changed in California privacy on January 1, 2023?

A: We want to preface our answer by stating that there has been a flurry of activity in California privacy. Many significant changes are coming in 2023 and 2024. We recommend speaking regularly with legal counsel about changes that may affect your business. 

With that said, the change that will affect the most businesses is the introduction of the California Privacy Rights Act (CPRA). CPRA amended the California Consumer Privacy Act (CCPA) effective January 1, 2023. Some of the changes that are now effective include: 

  • CCPA exemptions regarding personal information related to employees and B2B data are eliminated;  
  • New rights to limit the sharing of personal information and limit the use and disclosure of sensitive personal information;
  • New data minimization requirements; and
  • New contract requirements for agreements with service providers, contractors, and third parties. 


Q: How do we handle the CPRA Regulations delay?

A: The CPRA Regulations remain in draft status, despite the January 1 effective date. This has caused much confusion for California businesses. 

Unfortunately, at this point, the regulations will not be finalized before April, at the earliest. and it remains unclear if the timeline for enforcement (currently July 1, 2023) will be delayed. 

 Given the uncertainty, we’re seeing most businesses aligning their privacy practices with the CPRA draft regulations in their current form. There is a risk that the regulations will change. However, any modifications at this stage will likely be minor. 

Find the regulations here:


Q: Is there anything my company can do to prepare for future privacy laws?

A: Your company has two options in the uncertain privacy compliance environment: be proactive or be reactive. 

Proactive privacy programs consider trends in privacy regulations and consumer sentiment, as well as governance frameworks that embed privacy into your business operations – such as the NIST framework or Privacy By Design. This approach considers the privacy impact on consumers (and now employees and other businesses) at the earliest stage in projects and operations. It empowers businesses to understand the potential privacy risks and embed appropriate protections from the outset instead of as a stop-gap.

Reactive privacy programs react to legislative changes or consumer demand if and when they arise. 

Whether you’re proactive or reactive, there will likely be some ‘surprises’ in California privacy compliance in the future. However, proactive companies are likely to be in a better position to respond quickly (and, likely, at a lower cost) to privacy compliance changes. 


Q: What about these reports that Congress might finally pass federal legislation that could preempt state laws like the CCPA/CPRA? Should we prepare for the CPPA’s new requirements or wait to see what shakes out in Congress?

A: On July 20, 2022, the U.S. House Energy and Commerce Committee passed H.R. 8152, the America Data Privacy and Protection Act (ADPPA). However, this is not final. The bill next will be put to a vote before the full House and, if passed there, would then move to the Senate. The California Privacy Protection Agency has publicly opposed the ADPPA and any other bill seeking to preempt the CCPA or otherwise weaken it. 


If you need assistance navigating privacy in California, reach out. Our privacy attorneys would love to help. 


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you