The Bottom Line
- While businesses are eager to implement new compliance steps to meet the requirements of the CPRA and other new privacy laws, full compliance is not possible until regulators provide final rules stipulating how businesses can achieve such compliance. Therefore, businesses will continue to wait anxiously for such guidance.
CPRA Regulations
With the January 1, 2023 effective date of the California Privacy Rights Act (CPRA) fast approaching, companies have been eagerly awaiting the publication of CPRA regulations from the new California Privacy Protection Agency (CPPA). The regulations were originally set to be finalized by July 1, 2022 — a date that would have given businesses six months to prepare to comply with the CPRA.
CCPA Executive Director Ashkan Soltani announced on February 17, 2022, however, that the CPPA likely will not finalize the regulations until “Q3 or Q4” of 2022. Therefore, companies may have only months — or weeks — to fully develop compliance measures before the start of 2023.
The narrower time period may put companies in a difficult position. They can either (1) start developing their compliance activities based on the existing text of the CPRA and speculation as to what may be in the final regulations, adjusting their programs accordingly when those regulations are released or (2) hold tight and wait for the CPPA to finalize the CPRA regulations before developing a compliance framework on an expedited timeframe.
CPRA Amendments – Employee Data
The California Consumer Privacy Act (CCPA) and CPRA both contained carve-outs from most compliance obligations for certain personal information processed in the context of employment or B2B activities. However, both the CCPA and then the CPRA established a sunset on those exemptions. Without those exemptions, employers would have significant new obligations with respect to their own personnel.
Two bills have been proposed in the California State Assembly to either push back the sunset period to 2026 or keep the exemptions in place permanently. Since the CPRA sunset period ends on January 1, 2023, businesses will want to pay close attention to the progress of these bills.
Virginia and Colorado
All of these considerations are taking place as the new privacy laws in Virginia and Colorado are also set to go into effect next year. Virginia’s law similarly has an effective date of January 1, 2023, which will add to companies’ compliance-deadline pressure.
Colorado Attorney General Phil Weiser last month — on Data Privacy Day — announced that Colorado is also undergoing a rulemaking process for their new data privacy law, which comes into effect on July 1, 2023. In making this announcement, the Attorney General acknowledged some overlap with issues covered by California law and expressed a desire to finalize this rulemaking process within one year.