On February 3, 2023, the California Privacy Protection Agency Board ("Board") voted unanimously to approve and adopt the Agency's California Privacy Rights Act ("CPRA") rulemaking package. This regulatory package includes a Final Statement of Reasons, a redlined document encapsulating the Final Regulations, as well as two documents containing a summary and responses to comments on the draft CPRA Regulations that were received during the 45-day and 15-day comment periods, respectively. Please note that the Final Regulations are virtually unchanged in any substantive way from the version that was published in November 2022.
Process for Approval of Final CPRA Regulations
At this point in the regulatory process, the approved Final Regulations will be sent to the Office of Administrative Law ("OAL") within the next two weeks. From there, the OAL will have 30 business days to review the CPRA Regulations and determine whether to approve them for implementation. While the CPPA's website indicates that the earliest effective date for the Final Regulations would be April 2023, that date is subject to change.
Proposed Rulemaking for New Privacy Topics
At the same Board meeting, a subcommittee presented an Invitation for Preliminary Comments on Proposed Rulemaking for new rules on the following three topics: 1) risk assessments; 2) cybersecurity audits; and 3) automated decision-making. The subcommittee prepared a draft for Board members to consider and comment on, posing pointed questions for public feedback. The draft includes a comprehensive set of questions that reflect the seriousness with which the Board is taking the crafting of regulations for risk assessments, cybersecurity audits, and automated decision-making. Subcommittee staff noted that public comments will be extremely helpful on these topics. The Board approved dissemination of the draft to be released to the public within 45 days.
Next Steps in the CPRA Regulation Process
As we eagerly await the promulgation of the Final Regulations, we know that there is widespread concern and uncertainty as to how best to comply with existing regulations. In the interim, one of the most effective ways to ensure compliance during this state of flux is to discuss your company's regulatory efforts with an experienced privacy attorney.
Related Blog Posts:
The Latest On CPRA Regulations
First Major CCPA Violation Enforcement Action Announced!
UCPA Compliance: Using CCPA Compliance Efforts To Prepare For The Utah Consumer Privacy Act
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.