[email protected]

CPRA regulations finalized and effective immediately

Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."
Source: https://upload.wikimedia.org/wikipedia/commons/0/01/Flag_of_California.svg.

[Update: On March 30, 2023, the California Chamber of Commerce filed suit against the California Privacy Protection Agency, arguing that the amended regulations should not enter force until once year following finalization of the regulations. The court agreed, holding that enforcement cannot occur until one year after the regulations were finalized, thereby pushing the enforcement date from March 29, 2023, to March 29, 2024. The case is being appealed, but it is not expected to be finalized until after the new enforcement date.]

On March 30, 2023, the California Privacy Protection Agency (the Agency) announced that its first rulemaking package for the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was approved by the California Office of Administrative Law (OAL).[1] Approval by the OAL marks the completion of the rulemaking process, thereby making the regulations effective immediately.

“This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” CPPA Board Chair Jennifer Urban said in a statement.[2]

The regulations build upon and clarify provisions within the CPRA, which amended and expanded the CCPA. For example, the regulations allow businesses to offer a “Your Privacy Choices” mechanism on a website’s homepage instead of a “Do Not Sell or Share My Personal Information” mechanism.

The regulation had originally been scheduled for completion for July 1, 2022, but due to insufficient staffing and resources, the Agency announced an extended delay to the process.[3] This delay of almost a year left businesses and privacy professionals scrambling, because the CPRA came into effect on January 1, 2023, yet many of its provisions were unclear. Now, finalization begets clarity.

That said, the Agency’s enforcement efforts will begin July 1, 2023, which gives little time to comply with the regulations. The Agency has indicated a soft initial approach to enforcement though. Section 7301(b) of the finalized regulation state that the Agency may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” While this leaves some breathing room, it does not alleviate non-compliance in all instances, and businesses should move to finalize compliance with these regulations.

The final regulations, although effective immediately, will not be published publicly until they are processed, which is expected to happen next week. The final regulations will be made available here: https://cppa.ca.gov/regulations/consumer_privacy_act.html

[1] https://cppa.ca.gov/announcements/ (announcement on March 30, 2023)

[2] Id.

[3] https://iapp.org/news/a/cpra-regulations-delayed-past-july-1-deadline-expected-q3-or-q4/