CPRA Update: September 23, 2022

The California Privacy Protection Agency (CPPA) Board met on September 23, 2022, to discuss ongoing efforts to prepare for the California Privacy Rights Act (CPRA), which becomes operative on January 1, 2023 (an agenda of the meeting can be found here). The Board provided an update on the ongoing rulemaking process, but did not offer specific timelines for updating and finalizing the draft regulations, which were originally slated for release on July 1, 2022.  The Board did confirm, however, that there will be “quite a few changes” to the current draft of the regulations (current version available here) in response to public comments. The Board declined to provide further information or examples of anticipated updates. Based on the meeting and current drafting efforts, it is still unclear when businesses can expect a new draft of the regulations before the CPRA’s operative date.

Multiple commentators voiced concerns over the burden covered businesses will face in complying with the final version of the regulations before the CPPA begins enforcement on July 1, 2023, given the current delays in the rulemaking process. The Board acknowledged at a high level the potential for considering the delay as part of the enforcement process, but did not address with any specificity whether any efforts to delay enforcement would be pursued. For instance, the Board acknowledged that they may consider the following steps relating to enforcement actions: asking the CPPA (the general enforcement body that is governed by the five-member Board) to consider the delayed final regulations as a “factor” in enforcement actions, and asking the legislature to delay the time period for enforcement actions.

Beyond high compliance costs covered businesses are expecting with last minute compliance measures, the delay on the final regulations could also bring similar delays to other state data privacy laws scheduled to take effect on January 1, 2023 and soon after, such as the Virginia Consumer Data Protection Act to the extent those states are relying on the California regulations as guide post for their own rulemaking activities and/or working to establish consistent regulations. Nevertheless and although these delays create further uncertainty for organizations trying to prepare for the CPRA and other US state privacy laws, it is still critical to move forward with certain key elements of CPRA compliance, particularly those that are less dependent on the regulations (e.g., updating privacy notices, preparing for expanded data subject rights, strategy with regard to adtech and cookies).