The delay on California Privacy Rights Act regulations has proven difficult for everyone involved. Covered entities are in a bind trying to address CPRA compliance ahead of the Jan. 1, 2023, effective date without final rules being promulgated by the California Privacy Protection Agency. On the other hand, the CPPA is trying to work diligently and tactfully in the face of criticism for running well past its initial July 1 deadline to finalize regulations.
The pressure on both sides could ease soon though with the CPRA rulemaking process entering the final stretch. The CPPA recently approved modifications to the draft regulations and opened a 15-day public consultation that runs through Nov. 21.
If no further work is required after the public comment period closes, the CPPA Board will draft a final rules filing and vote to send the finalized package to the California Office of Administrative Law. That package will include a Final Statement of Reasons and responses to all public comments throughout the process. And under the current track, the final regulations could be published by January or February following the 30-day OAL.
The modifications submitted for comment include a range of updates concerning key compliance topics, including treatment of consumer opt-out signals, use of sensitive personal information and clarifying tweaks to some definitions. The most glaring approval by the board was a proposed regulation that opens the door for a potential delay on CPRA enforcement, which begins July 1, 2023, at the discretion of the agency.
"The California Privacy Protection Agency should take its time to carefully consider all input after the period for comments closes on Nov. 21. The current draft redline is 73 pages long and extremely complex," Baker McKenzie Partner Lothar Determann said. "Inevitably, it contains errors, inconsistencies and sections prone to create unintended consequences that should be improved before the regulations are finalized."
Potential enforcement reprieve welcomed
The proposed regulation to allow agency consideration for an enforcement delay on a case-by-case basis may bring a collective sigh of relief for companies. The proposal states the agency "may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
CPPA Executive Director Ashkan Soltani announced in February the agency would miss its July 1 finalization deadline due to the balance of standing up a new agency while carrying out a thorough rulemaking procedure. Companies haven't had a true sense for whether rules would come before the CPRA's Jan. 1, 2023, effective date, leaving many to wonder if they'd be penalized for noncompliance even in the absence of final regulations.
"This seems fair given all the delays and a large chunk of promised rules still missing. It is reasonable to expect enforcement to be phased in in stages," DataGrail Senior Privacy Advocate Alex Krylov, CIPP/US, CIPM, FIP, said. "This will help alleviate the anxiety many businesses we talk to are feeling. It's not just about the CPRA after all."
In addition to CPRA taking effect and becoming enforceable in 2023, comprehensive privacy laws in Colorado, Utah and Virginia will also take force at different points next year.
The rulemaking delay has also impacted compliance budgets. With the drafting process bringing constant additions and subtractions, companies have either sat idle or been forced to overshoot with funding for compliance programs.
"Rather than consider whether the delay in enforcement is feasible, I think we should be acknowledging the challenging feasibility of trying to comply with a moving target this late in the year," Hintze Law Senior Associate Charlotte Lunday, CIPP/E, CIPP/US, CIPM, said. "Each draft of the regulations results in a new iteration of agreements, notices, and product designs, as well as evolving stances on legal positions — even in active negotiations."
Unpacking approved modifications
The CPPA's focused approach to rulemaking is easily forgotten amid the delayed process. This current rulemaking initiative covers 22 topics, which signaled the agency's desire to zero in on making specific clarifications that it felt were timely and impactful rather than missing details while undertaking a broader swath of topics.
The work to clear up misinterpretations around handling opt-out signals is particularly noteworthy. Misconceptions around whether honoring the Global Privacy Control signals was mandatory under California law and the user opt-out violations in the first-ever California Consumer Privacy Act enforcement action have made clarity in this area a priority.
Several clarifications around opt-out signals were made in the approved modifications, including honoring opt-out signals in a pseudonymous manner unless a user elects to provide personal details to ensure offline opt-outs as well.
"On the one hand this leans into the CPRA's data minimization principle while supporting cross-browser and cross-device scenarios where linkage already exists," Krylov said. "In a less explicit way, it highlights a wall between offline and digital data selling and sharing. This is perhaps for the best. Translating something like a cookie ID to a real-world person would break the privacy promises of many and be counterproductive."
Loeb & Loeb Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, said the modifications brought "no major surprises," and she appreciated how they "address some of the confusion created in certain areas and to simplify certain requirements."
"One example is the requirement to list all third parties or their practices on a notice at collection," Lee said. "The logistics of addressing this requirement are complicated, and with 60 days left in the year and code freezes on the horizon, it’s one less problem to solve as companies work through the other requirements of the law."
When's the finale?
While the early 2023 projection for final rules seems plausible, it's not a certainty. Potential further clarifications that arise during the comment period and the OAL review could present hurdles while a potential time crunch for the CPPA during the holidays also looms.
Determann said any outside demands for the CPPA to meet a year-end finalization are "misplaced" and waiting for final rules to get compliance programs up to speed "is not advisable because the statutory requirements are very detailed and prescriptive." Lee added a January 2023 finalization might be realistic, but it might not be as helpful as companies believe.
"If we get final regulations on Dec. 30 , it’s not like companies are going to call every one back from vacation, office closures, code freezes or anything of the like, for a 24-hour implementation sprint," Lee said. "Companies need to take the regulations as they are now and work to implement with the risk that there could be more change."