Since 2018, businesses have been working diligently to hit the ever-moving target of California Consumer Privacy Act (“CCPA”) compliance. Just as the California Attorney General had begun CCPA enforcement, the State has now voted to approve Proposition 24, the California Privacy Rights Act (“CPRA”), to create what amounts to a new CCPA. Like the CCPA, the CPRA will go through a series of changes before its enforcement date. Notwithstanding the foregoing, businesses should begin to prepare for compliance implementation.
What is the CPRA timeline?
Important CPRA Dates
The CPRA becomes effective five (5) days after the Secretary of State certifies the Proposition 24 approval vote which will occur on or before December 11, 2020. On January 1, 2023, the CPRA will become operative, and apply to consumer information collected on or after January 1, 2022.
In turn, the CPRA will become enforceable on July 1, 2023. Until July 1, 2023, the current CCPA will remain the governing law insofar as California consumer data privacy is concerned. Starting as early as July 1, 2021, the California Privacy Protection Agency (the “CPPA”), a new regulatory body created pursuant to the CPRA, can act on its rulemaking authority in order to adopt final regulations by July 1, 2022. Each rulemaking period will offer the opportunity for businesses to comment on new rules and attempt to shape the final construction of the CPRA.
Preparing for the New CCPA
Many businesses are frustrated by what seems like privacy regulations that are in a constant state of flux in California. This is, in large part, correct. Nevertheless, businesses must continue to preemptively address compliance measures in order to avoid enforcement action in the future. Data privacy is an active regulatory arena that will only continue to develop on a state and federal level. As such, working with experienced counsel to maintain compliance will help businesses make a smooth transition from the CCPA to the CPRA – the new CCPA.