As many are aware, the CPRA regulations are currently in draft status and may continue in that state until April, despite the law’s January 1 effective date. This could result in regulations being in final form after the July 1 date that the California Privacy Protection Agency (CPPA) has signaled that it will begin enforcement. Last week, during a Dec. 16 CPPA board meeting, the agency’s executive director indicated that the final rules will likely be released at the end of January. Although there will then be a comment period, the director indicated that the agency does not currently anticipate making further revisions to the draft regulations.
As anticipated, then, under the revised timeline from the CPPA, the final regulations would take effect in approximately April 2023, three months before enforcement of those same regulations will begin. The agency has not indicated any planned delay to the July enforcement time frame, even though the law gives it the discretion to do so. Given the law’s upcoming effective date companies should move forward with implementation, following the current draft regulations. While there may be some minor modifications in January, companies can take heart that the CPPA doesn’t currently anticipate them being significant.
During the same meeting, the CPPA signaled that it is moving forward with additional rulemaking on risk assessments, cybersecurity audits, and automatic decision making. Draft questions for seeking public comments were introduced, which questions will be finalized at a later meeting.
Putting it into Practice: This most recent news from the CPPA should not impact companies’ current implementation activities. At this stage, companies should continue implementing the regulations as currently drafted and accept the risk that more revisions could occur.