California's CPRA Delay is More Trouble Than You Think
In a last-minute turn of events, California’s CPRA amendments to its data privacy regulation, the CCPA, did not enter into effect on July 1, 2023. Long scheduled to do so, the California Chamber of Commerce changed the script with a formal complaint filed in late June. The CoC argued businesses needed a proper transition period between the finalization of the new CPRA rules and their enforcement.
The Superior Court of California issued a tentative pause on June 29, and then one day later on June 30, hours before CPRA would have gone into effect, officially ordered a delay of the amendments until March 2024.The Court set the new enforcement date at March 2024 since the CPRA was fully finalized only in March 2023, giving businesses a full year to conform to new compliance requirements.
Will the goal posts moving result in any substantial change to CCPA compliance, even in 2023? Probably not.
Ashkan Soltani, the Executive Director of the recently formed California Privacy Protection Agency, has gone on record saying that this initial period of the CPRA would be heavily focused on educating and informing the public about consumers’ and employees’ expanded data rights as well as the responsibilities businesses hold. Even in light of the previous July 1 enforcement date, Soltani noted, “We hope to drive voluntary compliance given we are still in the process of building out our enforcement team.”
The core tenets of the CCPA remain the same and enforceable, adding another mark for continued compliance until March 2024. The CPPA, the organization created to enforce the regulations, has maintained that much of the CPRA seeks to clarify rather than add to compliance obligations.
The problem lies in the fact that so much of the regulation needed clarification, and the long process that it took to deliver amendments to the CCPA.
To preface what’s to come, it’s important to say that California is an objectively remarkable place. The state on its own is the world’s fourth largest economy, has a reverence and romanticism to it that virtually nowhere else in the United States can claim, and has seen copious innovation birthed within its borders…
But this delay is messy. The ruling and decision itself, maybe not so much in that providing 12 months for businesses to adjust is logical, but the route to get there makes California look bad.
The process to finalize and approve the entirety of the CPRA was delayed, with the timeline pushed back several times until the text was finally approved in March 2023. Why California did not consider that and push back the enforcement timetable immediately, officials have yet to comment on publicly.
California, unlike the other 11 (!) states that have passed data privacy regulations, went big in its attempt to protect individuals’ data rights and ensure businesses handle data responsibly. It is far and away the closest comprehensive American data privacy regulation to the EU’s GDPR, which should serve as the global benchmark for any data regulation. For that, the state should be applauded.
However, with virtually every other state shying away from a California-inspired data privacy law in favor of more business-friendly statutes, California was already lacking influence in American data protection. While it very much informs how businesses approach their data protection programs in America, if the CCPA cannot influence other state laws, then it hasn’t achieved what the state set out to do: lead the charge on data protection in the U.S.
The CPRA enforcement delay is yet another example of how impenetrable Californian bureaucracy can often be, a striking indicator of how the state’s vision and execution have failed to align on several ambitious initiatives.
It doesn’t help that Connecticut and Colorado, states that passed comprehensive data protection regulations after California, both had their laws go into effect on July 1, 2023, as was the plan.
In the wake of the CPRA delay and the confusion it created among businesses, California is less likely now than it was weeks ago to substantially impact the overall landscape of data privacy legislation.
The smooth model other states like Connecticut and Virginia have paved to create and roll out data regulations only look more and more appealing as California again fumbles the ball, which could be key in how far American data protection goes in the next few years.