Since 2018, businesses have been working diligently to hit the ever-moving target of California Consumer Privacy Act (“CCPA”) compliance. Just as the California Attorney General had begun CCPA enforcement, the State has now voted to approve Proposition 24, the California Privacy Rights Act (“CPRA”), to create what amounts to a new CCPA. Like the CCPA, the CPRA will go through a series of changes before its enforcement date. Notwithstanding the foregoing, businesses should begin to prepare for compliance implementation.

What is the CPRA timeline?

CCPA Compliance

Businesses that have not already become CCPA compliant should first focus their efforts on doing so. Getting CCPA compliant will help avoid becoming the subject of private rights of action and/or investigation by the California State Attorney General. Important compliance measures that are worth noting include: 1) implementing and posting a privacy policy that discloses the categories of consumers personal information collected, the sources from which such personal information is collected, and the commercial or business purpose for which the personal information was collected or sold; 2) providing consumers with appropriate forms related to the sale, collection and disclosure of personal information; and 3) supplying consumers with notice prior to or at the point of collection to inform consumers about the categories of personal information that the business collects and the purposes for which the information will be used.

Important CPRA Dates

The CPRA becomes effective five (5) days after the Secretary of State certifies the Proposition 24 approval vote which will occur on or before December 11, 2020. On January 1, 2023, the CPRA will become operative, and apply to consumer information collected on or after January 1, 2022.

In turn, the CPRA will become enforceable on July 1, 2023. Until July 1, 2023, the current CCPA will remain the governing law insofar as California consumer data privacy is concerned. Starting as early as July 1, 2021, the California Privacy Protection Agency (the “CPPA”), a new regulatory body created pursuant to the CPRA, can act on its rulemaking authority in order to adopt final regulations by July 1, 2022. Each rulemaking period will offer the opportunity for businesses to comment on new rules and attempt to shape the final construction of the CPRA.

Preparing for the New CCPA

Many businesses are frustrated by what seems like privacy regulations that are in a constant state of flux in California. This is, in large part, correct. Nevertheless, businesses must continue to preemptively address compliance measures in order to avoid enforcement action in the future. Data privacy is an active regulatory arena that will only continue to develop on a state and federal level. As such, working with experienced counsel to maintain compliance will help businesses make a smooth transition from the CCPA to the CPRA – the new CCPA.