Insights

CPRA Update: September 23, 2022

CPRA Update: September 23, 2022

Sep 29, 2022
Download PDFDownload PDF
Print
Share

The California Privacy Protection Agency (CPPA) Board met on September 23, 2022, to discuss ongoing efforts to prepare for the California Privacy Rights Act (CPRA), which becomes operative on January 1, 2023 (an agenda of the meeting can be found here). The Board provided an update on the ongoing rulemaking process, but did not offer specific timelines for updating and finalizing the draft regulations, which were originally slated for release on July 1, 2022.  The Board did confirm, however, that there will be “quite a few changes” to the current draft of the regulations (current version available here) in response to public comments. The Board declined to provide further information or examples of anticipated updates. Based on the meeting and current drafting efforts, it is still unclear when businesses can expect a new draft of the regulations before the CPRA’s operative date.

Multiple commentators voiced concerns over the burden covered businesses will face in complying with the final version of the regulations before the CPPA begins enforcement on July 1, 2023, given the current delays in the rulemaking process. The Board acknowledged at a high level the potential for considering the delay as part of the enforcement process, but did not address with any specificity whether any efforts to delay enforcement would be pursued. For instance, the Board acknowledged that they may consider the following steps relating to enforcement actions: asking the CPPA (the general enforcement body that is governed by the five-member Board) to consider the delayed final regulations as a “factor” in enforcement actions, and asking the legislature to delay the time period for enforcement actions.

Beyond high compliance costs covered businesses are expecting with last minute compliance measures, the delay on the final regulations could also bring similar delays to other state data privacy laws scheduled to take effect on January 1, 2023 and soon after, such as the Virginia Consumer Data Protection Act to the extent those states are relying on the California regulations as guide post for their own rulemaking activities and/or working to establish consistent regulations. Nevertheless and although these delays create further uncertainty for organizations trying to prepare for the CPRA and other US state privacy laws, it is still critical to move forward with certain key elements of CPRA compliance, particularly those that are less dependent on the regulations (e.g., updating privacy notices, preparing for expanded data subject rights, strategy with regard to adtech and cookies). 

Related Practice Areas

  • Data Privacy & Security

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.