The California Privacy Rights Act (“CPRA”) went into effect on January 1, 2023. But the regulations implementing the law and providing guidance to businesses on how to comply weren’t ready yet – leaving many businesses to wonder how to comply with a moving target.
With luck, businesses won’t need to wonder much longer.
What’s Happening with the CPRA Regulations?
On February 14, 2023, the California Privacy Protection Agency (“Agency”) submitted its final draft of the amended California Privacy Protection Act (“CCPA”) regulations to the California Office of Administrative Law (“OAL”).
The final rulemaking package includes both:
- the proposed regulations incorporating the new rights and obligations adopted pursuant to the CPRA; and
- a draft final statement of reasons and appendices responding to comments the Agency received during the public comment period.
The OAL has until March 29, 2023 to review the package. If OAL approves, the final CCPA regulations will go to the California Secretary of State for filing.
If the OAL does not approve, the package will go back to the CPPA, along with a written decision from OAL explaining its reasons for denying approval. The CPPA would have an additional 120 days to cure any issues.
This means that the earliest we could see final regulations take effect would be sometime in April 2023.
What You Should Know About The CPPA’s Final Rules
Businesses will be relieved to know that the final rulemaking package did not differ substantially from the last draft adopted at the CPPA board’s October meeting.
The Agency received additional comments during the final public comment period, but it determined that no further changes to the proposed regulations were necessary in light of those comments.
The CPPA board didn’t suggest any changes to the final rulemaking package at its February 3, 2023 meeting either. Many are hopeful that by taking a little extra time, the Agency has landed on final regulations that will sail through OAL review. If this happens, it will avoid the confusion and frustration the original CCPA regulations caused.
Key Takeaways For US Businesses
Notably, the final regulations:
- Attempt to harmonize requirements between the CCPA and other pending state privacy laws;
- Incorporate recent enforcement activity (such as explicitly endorsing the use of the Global Privacy Control for opt-out signal compliance); and
- Includes a rule giving the Agency the discretion to consider good faith efforts by businesses to comply during the period of uncertainty between January 1 and the date the final regulations take effect when considering taking enforcement action against a company.
If you need help complying with California state privacy laws, reach out. Our privacy attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.