Data Privacy Hub

close icon
News & Press

CPRA Amendments Set and Sent for Final Approval Ahead of July 1 Enforcement

CPRA
Press Release
Feb 9, 2023
2
min read

The upcoming CPRA data regulations were finalized this week, as the California Privacy Protection Agency Board voted 4-0 to finalize its first set of the proposed regulations.

The final rulemaking package will now go to the California Office of Administrative Law for review and approval. The OAL's 30-day review window is more or less just a bureaucratic step, and the CPPA now anticipates final regulations taking effect sometime in April ahead of the planned enforcement beginning July 1.

The proposed final rules weighed in on topics such as data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling. Although the newly formed CPPA agency welcomed input and spent nearly an extra year discussing the regulations, the final proposal did not significantly change from the modifications adopted during the CPPA’s October meetings.

Those Autumn changes to the bill have been described by some legal scholars as an attempt to align the CPRA more closely with other comprehensive state data regulations. California has long pushed for stricter data privacy control and more user rights, which other state bills have shied away from in an attempt to ease the burden on businesses. 

With the final modifications to the CPRA seeking to clarify terminology within the bill rather than expand its requirements, companies that have been waiting the past few months in limbo as they tried to ensure compliance should breathe easy. 

While not everything in the bill is clear, including a key distinction between service providers and contractors, there is a discretionary enforcement measure whereby the CPPA will “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements." This figures to be particularly relevant within the first year or two of the new regulation, as the agency and companies find their footing.

The full guidelines can be found
here
Press release can be found
here