On Feb. 17, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to address several topics, including the rulemaking under the California Privacy Rights Act (CPRA). Although the CPRA includes a July 1 deadline for the Agency to promulgate final regulations, it is clear the CPPA will not meet that deadline given the delays it continues to face in hiring staff and beginning operations. In the words of CPPA Executive Director Ashkan Soltani, “[W]e’re building the car while we drive it.”
Director Soltani estimated that the CPPA will publish final regulations in the third or fourth quarter of 2022, giving businesses little time to implement compliance with the regulations ahead of the CPRA’s Jan. 1, 2023 operative date. By statute, formal rulemaking will begin in April, six months after the CPPA’s Oct. 21, 2021 notice to the California Attorney General (OAG) that the Agency is ready to assume rulemaking responsibilities. Director Soltani also indicated that draft regulations may be issued after the second quarter of 2022, meaning we may not see them until June.
For those wondering whether this impacts the enforcement deadline, here is a link for a recording of a webinar with Chairperson Jennifer Urban from Oct. 5, 2021 in which she discussed the California rulemaking process, authority given to the Agency for enforcement, and the topics on which the CPPA will focus for rulemaking. During that webinar, Chairperson Urban said that the Board is looking at the possibility of a formal extension of the CPRA’s July 1, 2023 enforcement deadline. A summary of the Oct. 5, 2021 statements Chairperson Urban made to the California Lawyers Association can be found here.
Despite the delays surrounding the CPRA regulations, businesses are well advised to work on CPRA compliance now. For those wondering where to begin, we published an overview that can be found here.
In addition to conducting gap assessments and data mapping, the CPPA encourages stakeholder participation. The path to the final regulations will involve preliminary hearings planned for March and April 2022, at which the Agency will receive input from subject matter experts as well as consumers, businesses and other stakeholders.
Meanwhile, the OAG filed a request with the state to move the current regulations under the California Consumer Privacy Act to a new section in the California Code of Regulations, where they will be renumbered for the CPRA.
Stay tuned for further updates on the CPRA rulemaking process from the authors and others in BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group.