ARTICLE
2 February 2023

California Privacy Protection Agency Releases Final Version Of The CPRA Regulations

FL
Foley & Lardner

Contributor

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
The California Privacy Protection Agency (CPPA) released additional materials for their upcoming February 3, 2023 meeting. Among the materials are the proposed final version of the first set...
United States California Privacy

The California Privacy Protection Agency (CPPA) released additional materials for their upcoming February 3, 2023 meeting. Among the materials are the proposed final version of the first set of regulations and the corresponding final statement of reasons. Importantly for businesses that have been working to comply with the regulations, the CPPA has made no material changes to the final regulations as compared to the draft regulations released in November.

Businesses should keep in mind that these final regulations are only part of the regulations to be issued by the CPPA. The CPPA also released an invitation for comments on proposed rule making for cybersecurity audits, risk assessments, and automated decision making. These are important (and complex) obligations of businesses under the CPRA which have not been addressed in the proposed regulations but which will be enforceable as of July 1, 2023. In addition, the current regulations fail to address or clarify how the CPRA applies to employment and business-to-business information, which is now in scope and enforceable as of January 1, 2023. Businesses should continue to make good faith efforts to comply with these requirements based on the language of the statute.

This regulatory package presents a unique challenge as it builds upon a variety of established regulations and statutes, including those created by initiative (Proposition 24). Specifically, the proposed draft regulations largely reiterate existing language from the California Consumer Privacy Act of 2018 (CCPA) and subsequent amendments, the existing CCPA regulations (Part 1 & Part 2) promulgated by the Department of Justice (DOJ), and the self-executing requirements of the CCPA as amended by the California Privacy Rights Act of 2020 (CPRA) (see Appendix 1 for more details on the evolution of the CCPA). We consider California's law, as well as other relevant privacy compliance obligations (such as the European Union's General Data Protection Regulation or GDPR), to comprise baseline conditions.

cppa.ca.gov/...

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More