The California Privacy Protection Agency (“CPPA”) has approved a set of regulations to implement the California Privacy Rights Act (“final proposed CPRA regulations”). The final proposed CPRA regulations will be submitted to the California Office of Administrative Law in the next two weeks for a 30-day approval period. If there are no delays, the final proposed CPRA regulations could take effect as early as April 2023. This would leave businesses with approximately three months to ensure compliance before enforcement is set to commence on July 1, 2023.
The final approval comes more than six months after regulations were originally set to be finalized under the CPRA. It also marks the end of what has been an iterative rulemaking process for the CPPA. Starting in July 2022, the CPPA published and sought comment on three rounds of proposed draft regulations. This culminated in draft regulations released for public comment on November 3, 2022.
The final proposed CPRA regulations remain largely unchanged from the November draft regulations. In conjunction with the final proposed CPRA regulations, the CPPA released a Final Statement of Reasons (“FSOR”) explaining each change. Below are outcomes for the following key topics that we have been covering throughout the CPPA’s rulemaking process:
The CPPA has already commenced rulemaking for the next set of topics that were not included in these final proposed CPRA regulations. According to the list of proposed preliminary rulemaking questions included in the CPPA’s February board meeting materials, these topics include cybersecurity audits, risk assessments, and automated decision-making.