On Friday, February 3, the CPPA is scheduled to meet about current and forthcoming CPRA regulations. The Board had previously signaled that it expected to finalize the draft regulations in late January or early February 2023. The agenda confirms that the CPRA regulations will be discussed, including “possible adoption” or “modification” of the text.
Also of interest on the agenda is discussion of rulemaking activities for new rules on risk assessments, cybersecurity audits, and automated decision-making. These topics are of great interest to companies, particularly US-only companies who may not be currently subject to any laws that contemplate these types of requirements.
Putting it into practice. With CPRA’s effective date of January 1, most companies have been implementing the regulations as currently drafted. However, finalization of the rules will bring welcomed “closure” to companies as they continue to operationalize CPRA compliance. Companies should also keep a close eye on the forthcoming regulations on the other topics as these will likely drive the need for additional actions.