On March 29, 2023, the California Office of Administrative Law (the "OAL") approved the first substantive set of California Privacy Rights Act ("CPRA") regulations updating the California Consumer Privacy Act regulations. The text of the final rules can be found here.

As the California Privacy Protection Agency (the "CPPA") acknowledges, the regulations have "not changed substantively since the Agency Board voted on modification[s]" made at the end of October 2022. As such, the critical compliance areas continue to include:

  1. new rights to correct personal information and to limit the use of sensitive personal information;
  2. required procedures around data subject rights requests;
  3. requirements for honoring requests to opt out of the "sale" or "sharing" of personal information and responding to opt-out preference signals;
  4. the content and form of required privacy notices; and
  5. contractual requirements for agreements with service providers, contractors, and third parties to whom a business sells or with whom a business shares personal information. Our previous discussion of the original draft regulations where we covered these requirements in greater detail can be found here.

While the rules went into effect immediately upon release, enforcement is set to commence on July 1, 2023.

That said, a complaint filed one day after the OAL approved the regulations by the California Chamber of Commerce could push out the July 1, 2023, timeline. The complaint seeks to delay enforcement until 12 months after a final and complete set of regulations has been adopted. The finalized regulations are only the first set of regulations the CPPA is required to adopt under the CCPA. For example, the agency issued an invitation for comments (which is now closed) related to the proposed rulemaking for cybersecurity audits, risk assessments, and automated decision-making.

With enforcement looming, it is also worth noting that the CPRA replaced the CCPA's original automatic 30-day right to cure non-compliance violations with a discretionary cure from the CPPA, which oversees administrative enforcement over the CCPA. Notwithstanding the CPPA's discretionary cure notice, the California Attorney General, which retains civil enforcement power, can act immediately on any violations without notice.

Domestic privacy law has seen several recent developments along with these first set of final regulations. The Colorado Privacy Act ("CPA"), regulations for which the Colorado Attorney General also recently finalized, and the Connecticut Data Privacy Act are likewise set for July 1, 2023, enforcement.

Baker Botts will continue to monitor developments with these and other data privacy regulations. If you have questions about these proposed regulations, please reach out to any of the lawyers listed below or your usual Baker Botts contact.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.