Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

core/image

In sports, they sometimes call it a rebuilding year – the team hires new players or a new coach, restructures, updates strategy, and prepares for the next season. In the world of California privacy compliance, 2021 was a rebuilding year for many companies. While handling ongoing compliance with the California Consumer Privacy Act (CCPA), businesses were simultaneously planning for the changes coming Jan. 1, 2023, when the California Privacy Rights Act (CPRA) expands the CCPA’s requirements.

core/paragraph

Although existing CCPA compliance can be leveraged to meet some of the CPRA’s obligations, other aspects of the updated law may require businesses to rebuild parts of their privacy compliance programs. The CPRA revises the CCPA in many ways, including by:

core/list

On May 27, 2022, the CPPA released initial <a href="https://cppa.ca.gov/meetings/materials/20220608_item3.pdf" target="_blank" rel="noreferrer noopener">Proposed Regulations</a> interpreting the CPRA’s new requirements and updating many existing rules. It also published an <a href="https://cppa.ca.gov/meetings/materials/20220608_item3_isr.pdf" target="_blank" rel="noreferrer noopener">Initial Statement of Reason</a><a href="https://cppa.ca.gov/meetings/materials/20220608_item3_isr.pdf">s</a>, explaining the thought process behind the Proposed Regulations. On June 8, 2022, the CPPA board approved the draft Proposed Regulations as the basis for the formal CPRA rule-making process, which is expected to continue through the <a href="https://www.bakerdatacounsel.com/cpra/cpra-regulations-postponed/">third or fourth quarter of 2022</a>.

The Proposed Regulations include many new or updated requirements compared with the core statutory text of the CPRA. While a thorough review of the Proposed Regulations is critical for CPRA compliance, businesses should pay especially close attention to the following rules:

These are only a sample of the rules making an impact on businesses’ compliance with the CPRA. Moreover, this set of Proposed Regulations does not address cybersecurity audits, privacy risk assessments or automated decision-making, which are expected to be covered as part of a future rule-making package.

As businesses rebuild their CCPA compliance programs with an eye toward CPRA compliance, it will be more important than ever to have a thorough understanding of the personal information the company handles, a process in place for responding to privacy rights requests, and ongoing training and procedures to make sure appropriate contractual terms are implemented, privacy notices are kept up to date, and audits and risk assessments are performed when needed.

For an outline of key steps for CPRA compliance, please check out our <a href="https://www.bakerlaw.com/webfiles/A%20Road%20Map%20for%20CPRA%20Compliance.pdf">CPRA Compliance Road Map</a>. Click <a href="https://www.bakerdatacounsel.com/cpra/cppa-publishes-notice-proposed-rulemaking/">here </a>for in-depth coverage of the Notice of Proposed Rulemaking, released July 8, 2022.

DSIR Deeper Dive: Are you ready for the CPRA?