California Privacy Rights Act

“The CCPA/CPRA – Final Rules Being Pushed Back”

There has been confusion both in the industry and outside the industry regarding the effective date of the CCPA/CPRA ‘regulations’ being pushed back, likely until April 2023.

What happened?

On October 17, 2022, the California Privacy Protection Agency (CPPA) (which is a rulemaking and enforcement body created by the CCPA/CPRA) released its proposed regulations showing all the edits that have gone into the current regulations. These revisions are expansive. The document is 72 pages long. They were expected to be finalized by January 2023 to coincide with the CPRA amendments becoming fully effective.

Unfortunately, on December 16, 2022, the CPPA announced that the release of the final regulations will be pushed back to April 2023, probably.

What’s the Confusion?

There are some recent articles circulating, that seem to conflate the CPRA amendments to the CCPA with the draft amendments to the regulations. They are two separate things. The CPRA amendments are coming fully into effect in January 2023 come Hell or high water. You need to be in compliance at that time. That is not getting pushed back to April. 

The Reality?

People are getting worried because the CPRA amendments will be enforced starting July 1, 2023. That’s not very far from ‘maybe April’ and there is still not alot of clarity on what the forthcoming regulations are spelling out.  However, the forthcoming regulations are not expected to change very much at all from their current draft form. They can be viewed here.

So what you need to do is work toward compliance using those draft regulations as soon as possible and if there are some minor changes in April, they can be more easily dealt with then.

Here is a nice sentiment by CPPA stating the following:

“As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”

So. They are saying they may be nice, maybe. If they deem it proper. I probably wouldn’t hang my hat on that.

If you need any help with getting compliant with the CCPA/CPRA please don’t hesitate to give me a call. I am always available to provide counsel on these and other matters concerning data privacy and the legal ramifications around it. 

Was this article helpful?