Covered entities under the California Privacy Rights Act (CPRA) can breathe a partial sigh of relief knowing that the actual rules they must follow should soon enter into law.
Businesses have been in a state of legal limbo since the CPRA went into effect on January 1, 2023, without the proposed regulations being approved. The latest news out of California is that the long-awaited final rules are expected to take effect in April 2023 ahead of enforcement beginning July 1, 2023.
Members of the business community have expressed frustration over missed deadlines in the CPRA rulemaking process and asked California authorities to extend the enforcement deadline. Since an extension does not appear to be forthcoming, businesses should start preparing now for CPRA compliance.
Read on to learn about the latest developments in California, and how you can prepare using our CPRA compliance checklist.
The business community expresses concerns about CPRA compliance
The future is about multi-regulations, and CPRA compliance is just the start
Updated CPRA compliance timeline
Our previous rundown of the California Privacy Rights Act (CPRA) left off in August 2022, when the California Privacy Protection Agency (CPPA)—the agency in charge of implementing and enforcing the CPRA—had initiated a 45-day written comment period for a preliminary draft of proposed CPRA regulations.
Following the comment period and public hearings, in September 2022 the CPPA issued modified proposed CPRA regulations. During a series of CPPA Board meetings held in October, the agency discussed the modified proposed regulations. After the meetings, the CPPA considered additional changes and in November published another set of modified proposed rules, setting in motion a 15-day comment period.
At the conclusion of the second comment period, the CPPA staff prepared a final rulemaking package that it presented to the Board. On February 3, 2023, the Board voted unanimously to adopt and approve the package.
The next step was filing the final rulemaking package with the California Office of Administrative Law (OAL) on February 14. From that date, the OAL has 30 business days to review and approve the proposed regulations. CPPA states on its FAQ page, “the earliest that proposed regulations could be in effect is April 2023; however, this estimate is subject to change.”
OAL’s deadline to approve the CPRA final draft regulations is March 29, 2023. If approved, they’ll be sent to the California Secretary of State and become law. If not approved, the OAL will provide the CPPA with a written notice explaining the reasons for disapproval.
Businesses interested in receiving notifications about the exact date of implementation can sign up for CPPA email alerts.
The business community expresses concerns about CPRA compliance
Barring any setback or unforeseen developments, all indications are that the CPRA regulations will take effect in April—nine months later than CPPA’s initial deadline of July 1, 2022.
CPPA Board Member Lydia de la Torre downplayed the drawn-out rulemaking process, acknowledging the “professionalism and dedication” of the agency’s staff. However, privacy attorneys told IAPP that companies were “hoping for certainty of the final regulations a bit sooner” and the process has been “frustrating for businesses seeking to comply in good faith.”
An opinion piece in the California publication Capitol Weekly authored by the California Retailers Association President claims the CPPA has ignored business input, refused to adequately consider the impact of new privacy rules on businesses, lacked transparency, and fostered distrust in the business community. It calls for extending the enforcement deadline “so businesses have time to accommodate.”
Earl “Skip” Cooper II, Chairman of the Board and President Emeritus of the Los Angeles-based Black Business Association, writes that the July 1 enforcement deadline “leaves little room for incorporating any meaningful input from small businesses before the new rules are finalized and little time for small businesses to adjust their operations before the threat of punishment from the state.”
Writing in the Sacramento Business Journal, Julian Cañete, President and CEO of the California Hispanic Chambers of Commerce, says the July 1 deadline would “force many small businesses into noncompliance, open the door to lengthy, complex litigation, and add to customer confusion.”
A major concern of businesses is CPRA compliance costs. The CPPA has reported that complying with the new regulations will cost businesses less than $127. However, the Washington Legal Foundation notes that when the Attorney General (AG) proposed California Consumer Privacy Act (CCPA) regulations, it estimated an average compliance cost of $100,000 per business ($75,000 initial cost and $2,500 per business each year for 10 years).
The Information Technology & Innovation Foundation estimates privacy law compliance will cost California $46 billion annually, with in-state small business costs of $9.3 billion and out-of-state small business costs of $2.5 billion. A study for California’s Attorney General found that two-thirds of all California businesses impacted by the CCPA are small businesses, which have a more difficult time absorbing compliance costs than large firms with higher revenue.
What businesses can expect from the final CPRA regulation?
The CPRA is not technically a new, separate California privacy law. It amends the CCPA, providing updated privacy protections for consumers and imposing stricter regulations on covered businesses. In draft documents, the CPPA refers to the CPRA as “CCPA” or “CCPA, as amended.”
According to law firm Husch Blackwell, the draft regulations sent to OAL for final approval are substantively the same as those adopted at the CPPA’s October meetings. On its Byte Back privacy and data security law blog, the firm identifies several key points from the pending regulations.
Discretionary enforcement reprieve
The CPPA did not extend the CPRA’s July 1 enforcement deadline, as some businesses had hoped for. But the Board did add a rule to the proposed final regulations that would allow the agency to "consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements."
Third parties as service providers
The first enforcement settlement under the CCPA, a $1.2 million fine against Sephora, stemmed from the company’s sharing of information with third-party advertising networks and analytics providers. It raised considerable debate (discussed at length by IAPP) about whether this common data-sharing practice constitutes the “sale” of consumers’ personal information. The AG took the position that sharing data with a vendor in exchange for analytics or ads is a “sale” (rather than the business buying a vendor service.)
But the CPRA draft regulations appear to allow for instances in which an analytics business can be a service provider—not a third party. IAPP recommends that businesses put in place service provider contracts to help prove that a vendor is a service provider.
Data collection and use limitations
The proposed regulations change several requirements related to purpose limitations, secondary uses, and data minimization. For example, CPRA § 1798.100(c) requires a business’s processing of personal information to be “reasonably necessary and proportionate” to achieve the purposes for which the information is collected or processed, or for “another disclosed purpose” compatible with the context in which the information was requested.
New requirements base this analysis of data collection purpose on “the reasonable expectations of the consumer.” The latest round of revisions adds five factors for businesses to consider when making this determination. It also lists three factors for determining when processing is “reasonably necessary and proportionate” and whether a “disclosed purpose” meets the stated criteria. However, the CPPA Board said that it would like to further clarify these provisions at a later date.
Other significant issues addressed in the CPRA draft regulations include:
- Opt-out preference signals
- Use of sensitive personal information
- User interfaces
- Choice architecture
- Personal information collection notices
More changes coming to the CPRA
The Board knew it was under the gun to finalize the CPRA regulations as soon as possible after blowing past their initial July 2022 deadline. But the rulemaking package the Board sent to OAP should be seen as a work-in-progress. On several points, the Board expressed a desire to make further revisions to these rules at future meetings.
In addition, the finalized rules do not cover all of the topics for which regulations are necessary. They address topics that include consumer opt-out mechanisms, consumer requests, data processing agreements, dark patterns, and recognition of opt-out preference signals.
They do not cover cybersecurity audits, risk assessments, and automated decision-making, topics the CPPA started a fresh round of preliminary rulemaking activities for in February.
Your CPRA compliance checklist
The clock is ticking on CPRA compliance. Despite the Board making a concession to covered businesses with its discretionary enforcement reprieve, the expected April implementation date looms large.
On a positive note, businesses aren’t starting from scratch with their compliance strategy. Because the CPRA amends the CCPA, a focused approach should be sufficient to address additional compliance burdens.
Even before the OAL approves the new regulations, businesses can take action. To be ready by July 1st, here is a CPRA compliance checklist you can use:
1) Know if you’re covered
Companies that conduct business in the state of California, buy, sell, or share the personal information of Californians, and have $25 million or more in gross revenue are generally subject to the CPRA.
2) Familiarize yourself with the law
Ignorance of the law is not an excuse for noncompliance. The final regulations text is available on the CPPA’s website.
3) Have a compliance team
Multiple stakeholders across your organization may play a role in maintaining CPRA compliance. Meet with key leaders (e.g., the board, management, and executives), build a team, and assign key roles and responsibilities for ensuring compliance accountability.
4) Inventory and map your data
Your organization must understand the categories of personal information it holds, where it originates, why it’s processed, and how it flows to, through, and from your organization. If you don’t know what data you have, who can access it, and what’s being done with it, you can’t honor CPRA consumer rights.
5) Train staff
Each company’s CPRA compliance team can be handled differently, depending on the organization. In larger organizations, it might be led by a Chief Privacy Officer and the cybersecurity team, or in-house legal counsel.
Other organizations might rely on a customer service team or a cross-department task force. Regardless, make sure the relevant individuals have the training they need. Also, consider company-wide training on the CPRA and general data privacy principles and practices.
6) Implement compliance protocols
Strong processes and technical measures, both general and specific to the CPRA, are paramount to compliance. For example, accountable team members should have defined processes for honoring new CPRA-related consumer rights, including the right to opt out of the sharing of personal information and the right to correct and delete data.
A robust cybersecurity framework that uses global best practices will help to protect against the CPRA’s expanded liability for data breaches.
7) Update privacy policies
8) Perform regular risk assessments and audits
The CPRA requires some businesses to perform periodic privacy risk assessments and independent cybersecurity audits. Even if they’re not required, periodically going through them can identify gaps in your privacy program and processes.
9) Reassess contracts
The CPRA expands contractual obligations for contractors, service providers, and third parties. These contracts may need to be revisited and revised to comply with the CPRA and guard against unnecessary liability.
In order to remember these 9 steps, download your CPRA compliance checklist:
The future is about multi-regulations, and CPRA compliance is just the start
The full text of the California Privacy Rights Act (CPRA) regulations runs to 66 pages.
The new laws make the nation’s toughest data privacy law even tougher and give California more authority to enforce the state’s ongoing CCPA investigations.
Financially and reputationally, businesses may not be able to afford the hit of an enforcement action. And yet, at the end of 2022, more than 9 out of 10 businesses were still unprepared for the CPRA.
That’s a lot to digest and plan for, and it's only the first law in a series of emerging state regulations, not to mention what's happening in other countries around the world.
Companies need to act now to implement CPRA compliance solutions and get ready to handle multiple regulations in a fast-changing regulatory landscape. But they don’t have to act alone. Didomi can help.
Frequently Asked Questions (FAQ)
What does CPRA stand for?
CPRA stands for "California Privacy Rights Act".
When will CPRA enforcement begin?
The CPRA went into effect on January 1, 2023. The final rules are expected to take effect in April 2023, ahead of enforcement beginning July 1, 2023.
How to get ready for the CPRA?
You can prepare for the CPRA by going over the CPRA compliance checklist in this article, downloadable here.
What are some of the other data privacy laws in the U.S.?
Other data privacy laws in the U.S. include the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), and the Utah Consumer Privacy Act (UCPA).
Head to our article on consumer data privacy laws in the United States for a full coverage of the privacy landscape in the U.S.