The California Privacy Rights Act (“CPRA”), which amends and adds to California’s comprehensive consumer privacy law, the California Consumer Privacy Act (“CCPA”), went into effect January 1, 2023. Under the CPRA, the California Attorney General and the California Privacy Protection Agency (the “Board”) are directed to adopt regulations to guide implementation of the CPRA requirements.

On February 3, 2023, the Board adopted final draft regulations (“Proposed Regulations”), which are largely the same as the previous version released in November 2022. However, the Proposed Regulations are now before the California Office of Administrative Law (“COLA”) for final review. COLA has the authority to instruct the Board to change some of the draft regulations, as it has done in the past. Assuming COLA approves the Proposed Regulations, we expect they will be finalized and effective in April 2023.

Significantly, the Board and the California Attorney General can begin to enforce the CPRA – and any finalized regulations – beginning on July 1, 2023. That gives companies less than 3 months to take steps to comply with the new regulations. We recommend that companies begin updating their data privacy and security compliance programs now based on the final draft regulations, with the understanding that companies may have to make adjustments once the regulations are officially approved.

The Proposed Regulations include:

  • Details on how organizations should implement ways for consumers to exercise their new consumer privacy rights, including the right to delete and the right to correct.
  • Restrictions on the collection and use of personal information, in particular how personal information for advertising purposes.
  • Guidelines and restrictions for processing sensitive personal information, including health and biometric information used to create inferences about a consumer.
  • Instructions on how to notify consumers of its data collection and use practices, including privacy policies and notice at collection.
  • Requirements that an organization honor consumer opt-out preferences communicated through an automated signal and provide easily accessible tools for consumers to submit rights requests over web and mobile applications.
  • Additional detail on the definitions of sale and sharing personal information.
  • Clarification on requirements related to contracting with third parties and service providers.
  • Updated requirements for website homepage privacy links for consumers.

Once the Proposed Regulations are finalized, organizations will still need to keep the CPRA on their radar This is true because the Board is discussing new topics for a second round of rulemaking, focused on cybersecurity audits, risk assessments, and automated decision-making.