As of January 1, 2023, the California Privacy Rights Act (CPRA) will substantially modify and expand California’s Consumer Privacy Act (CCPA). The CPRA leaves many key details to be worked out in regulations, which the CPRA requires to be finalized by July 1, 2022.[1] However, if companies hoped to wait for the final CPRA regulations before beginning their CPRA compliance activities, they may need to reconsider their plans in light of a recent announcement that the CPRA regulations may be delayed until Q3 or even Q4.
The CPRA contains a long list—over 5 pages in length—of new obligations to be further defined in the CPRA regulations, including but not limited to details related to:
- New rights for consumers to limit processing of sensitive personal information;
- New rights for consumers to request correction of their personal information;
- New rights for consumers to opt out of the “sharing” of their personal information for cross-context behavioral advertising;
- Extending the current 12-month look-back period for consumers’ requests to receive a copy of the specific pieces of personal information a business maintains on them;
- New obligations for certain businesses to perform an annual cybersecurity audit, and submit risk assessments “on a regular basis” to the California Privacy Protection Agency;
- New, yet-to-be-defined, access and opt-out rights for consumers with respect to use of automated decision-making technology; and
- Requirements and technical specifications for opt-out preference signals that businesses must honor as a method for consumers to exercise their opt-out rights under the CCPA/CPRA.
The regulations will be developed by the California Privacy Protection Agency (the Agency), the agency now tasked with implementing and enforcing the law. The Agency has already started work, inviting public comments last fall on a range of topics.
Although the CPRA provides that the final regulations will be adopted by July 1, 2022, the Agency recently announced at a board meeting that rulemaking for the CPRA will not be complete until Q3 or Q4. If this feels like déjà vu, there is a good reason: there was a similar delay in finalizing the original regulations for the CCPA.
There is some good news for companies, however: the CPRA provides that enforcement of the new CPRA provisions will not begin until July 1, 2023, and will apply only to violations occurring on or after that date.[2] This effectively gives companies a 6-month grace period before they are subject to enforcement action, although the CPRA obligations will still become operative on January 1, 2023. Once enforcement begins, the CPRA eliminates the 30-day notice and cure period that the CCPA has provided
As many companies learned in preparing for the CCPA when it first took effect, operationalizing these new rights and obligations can take much more time and effort than expected. Companies will want to begin planning their CPRA compliance measures well in advance, even if we may need to wait longer than expected for the CPRA regulations.
[1] Cal. Civ. Code § 1798.185.