CPRA Status as Effective Date Approaches

The California Privacy Rights Act (CPRA) goes into effect on January 1^st, 2023. The finalized CPRA regulations still haven’t been released by the California Privacy Protection Agency (CPPA), even though the initial finalization deadline was July 1, 2022. For covered organizations, the unknown CPRA status could make compliance more challenging since they will have less time to study the final regulations before enforcement begins.

The CPRA rulemaking process does appear to be in the home stretch. Modifications to the draft regulations have been approved and the 15-day public comment period that followed ended in late November. If no significant changes come out of the public comments, the CPRA board can send finalized rules to the California Office of Administrative Law (OAL). OAL has 30 working days to approve or disapprove regulations, so potentially final CPRA regulations could be published in January or February of 2023.

Possible Enforcement Date Flexibility

CPRA enforcement is scheduled to begin on July 1^st, 2023. The latest modifications reveal that the CPPA could grant organizations some wiggle room regarding the enforcement date. The proposal states:

As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.

Consideration for enforcement date delays will be case-by-case, depending on “good faith efforts” to comply with CPRA requirements. Despite the flexibility, organizations should strive to reach full compliance by the July deadline to minimize risk.

The Latest Modifications & Clarifications

Modifications to the proposed CPRA requirements have been made since the original proposal was released in July 2022. More revisions could be made depending on the submissions from the last round of public comments.

Here is a look at some of the significant modifications.

Changes to the Restrictions on the Collection and Use of Personal Information regulations are summarized below.

The purpose for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer whose personal information is collected or processed. The consumer’s reasonable expectations concerning the purpose for which their personal information will be collected or processed shall be based on the following:

• The relationship between the consumer and the business
• The type, nature, and amount of personal information sought by the business
• The source of the personal information and the method of collection and processing by the business
• The specificity, explicitness, prominence, and clarity of disclosures to the consumer (including the Notice at Collection or Privacy Policy)
• How apparent the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is to the consumer

Clarifications were made regarding opt-out signals made in a pseudonymous manner. That requirement now reads as:

The business shall treat the opt-out preference signal as a valid request to opt-out of sale/sharing submitted pursuant to Civil Code section 1798.120 for that browser or device and any consumer profile associated with that browser or device, including pseudonymous profiles. If known, the business shall also treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer. This is not required for a business that does not sell or share personal information.

CompliancePoint has an experienced team of privacy professionals that can help your organization reach and maintain compliance with the CPRA and other state privacy laws. Contact us and connect@compliancepoint.com to learn more.