Compliance activities loom large as organizations gear up for the California Privacy Rights Act to take force next year. Remaining measures depend largely on the substance of the California Privacy Protection Agency's much-anticipated CPRA rulemaking.

The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law's Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. While offering a rulemaking update at a recent board meeting, CPPA Executive Director Ashkan Soltani indicated completion of the rulemaking process will go beyond the July target date.

"The agency's rulemaking authority takes effect in April. When we have information gathered through preliminary work, we can expect formal proceedings for a formal rulemaking package in Q2," Soltani said during the public meeting. "Formal proceedings, including public hearings, will continue into Q3 with rulemaking being completed in Q3 or Q4. While this puts us somewhat past the July 1 rulemaking schedule in the statute, it allows us to balance staffing of the agency while undertaking substantial information gathering to support our rules."

There was no further dialogue or explanation from Soltani or any CPPA board members on the amended rulemaking timeline. 

Some foreshadowing for a potential missed deadline came up in a prior board meeting. During its meeting September 7 to 8, 2021, the CPPA Board discussed potential remedies for a missed deadline, including a formal extension, enactment of temporary or "emergency" regulations, or adding compliance grace periods. Soltani's latest update did not include a rationale for why or how the agency would be able to miss its deadline.

"I'm not surprised, but very disappointed because companies are working hard to update policies and procedures and to implement changes that are required for digital properties, and cannot complete that work without knowing what the regulations will require," Loeb & Loeb Partner Tanya Forsheit, CIPP/US, CIPT, PLS, said. "And the regulations here will be much more extensive than the CCPA regulations were. Keep in mind that readiness is not just an exercise in obtaining legal advice. Companies actually have to operationalize and that takes time."

This is familiar territory for companies trying to comply with California privacy law. The California attorney general's office went past its deadline to produce regulations for the California Consumer Privacy Act in 2020 as those regulations took effect more than a month later. In that instance, the attorney general's office opted against any sort of enforcement delay while noting companies had ample time to complete compliance activities despite the delay on regulations.

Given the attorney general made modifications to CCPA regulations on six occasions since their release, Baker McKenzie Partner Lothar Determann sees the slowed but thorough approach being taken by the CPPA as a positive for businesses and their compliance work.

"The CPPA is well-advised to consider, deliberate and consult with appropriate time," Determann said. "From the outset, the CCPA project has been plagued by unreasonably rushed legislative processes, which resulted in a large swath of errors and confusion through amendments. … The CPPA should take appropriate time to understand what is already legislated and regulated before adding more regulations or changing existing ones."

Hang tight or press forward?

As Forsheit noted, the delay certainly leaves companies in an awkward spot. They can continue their compliance activities based on speculation and anticipation of what will be in the regulations, risking further tweaks or gaps in privacy programs once the regulations are released. The other option is to hold in place and wait for the release, which could ultimately put a company behind in what currently projects as a short compliance window.

"Salesforce has been tracking CPRA's implementation closely. Last week's news of delay does not affect the timeline of our company compliance review efforts," Salesforce Vice President & Associate General Counsel, Global Privacy Ed Britan said. "We continue to move forward for both internal compliance and providing information for customers prior to January. However, depending on the extent of the delay of the regulations, we would expect a similar delay on the enforcement measures."

Companies that opt for a pause in some areas of CPRA compliance do so based on a need for crucial clarifications that only the regulations can provide. Jason Sarfati, chief privacy officer and vice president of legal for location intelligence provider Gravy Analytics, has his eye on a few key areas that require further explanation.

"Two of the most impactful changes brought on by the CPRA are the introduction of the concept of 'sharing' and the new 'sensitive personal information' category," Sarfati said. "The volume of data transfers that qualify as 'sharing' is exponentially larger than those that are traditionally understood as 'selling.' It will be difficult for businesses, many of which had relatively limited exposure to the CCPA, to genuinely adjust their data processing activities until the CPPA provides additional guidance on how personal information may be shared under the new framework. This is especially true for businesses that process personal information that the CPRA has declared as sensitive."

Meeting halfway

A win-win scenario for the CPPA and businesses would be a formal or informal extension on the July 1, 2023, enforcement deadline. Such a move for an expanded grace period would allow organizations to breathe a sigh of relief as they finish compliance work while it would help the agency promote optimal compliance with no excuses.

In a conversation with the California Lawyers Association in October 2021, CPPA Board Chair Jennifer Urban spoke on her own behalf regarding the various options for extending the CPRA enforcement deadline in the wake of potentially missing what she deemed to be a "particularly aggressive" finalized regulations deadline as the agency deals with "complex regulations with a lot of stakeholders."

While the formal avenues outweigh the informal, Urban didn't shy away from explaining how a sort-of handshake agreement on delayed enforcement could pan out.

"There's also the option of just saying we aren't going to make this deadline and here's what we're planning to do about it," Urban said, noting the the CPPA will actively receive counsel on all of its options for a potential extension if need be. "For example, extending when we might begin enforcing would take a delay (on regulations) into account so people have time to understand and implement the regulations."

Determann believes some form of "reasonable adjustment period" would prove important for the CPPA as it "risks challenges and losing cases" if enforcement of the regulations is not enacted in a proper timeline. He added the potential legal blows "would undermine their authority and the purposes of the statute."

Sarfati likened the current situation to the adjustment companies faced with the EU's updated standard contractual clauses. In that instance, companies were given 18 months to understand the new provisions and build them into existing processes. Sarfati hopes the CPPA arrives at a similar approach for companies to be able to get their footing.

"The end goal for everyone should be to give businesses ample time to consult with their internal and external resources to sincerely incorporate these changes," Sarfati said. "Also, the fact of the matter is many companies have limited budgets allocated for privacy compliance. Spreading budgets out over a longer period of time will allow for additional financial resources to be dedicated to CPRA compliance, and inevitably produce much higher quality end-results for both businesses and consumers alike."

Photo by Tim Foster on Unsplash