The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods.
The proposed final regulations do not contain substantive changes. Now, businesses have confirmation of what text to use in finalizing implementation plans. As we previously noted, the regulations provide an option for a discretionary enforcement delay. The CPPA Board also addressed its next order of business: pre-rulemaking activities on cybersecurity audits, risk assessments, and automated decision-making.
The CPRA regulations now begin the final rule making process. They will be sent to the California Office of Administrative Law for review and approval. The Office of Administrative Law FAQs state that the final regulations will take effect sometime in April 2023 at the earliest. This is ahead of CPRA enforcement beginning July 1, 2023.
Putting it into Practice: While this process is not over, this is a welcome sign for businesses who have awaited clarity and finalization. Companies should continue to monitor for changes or delays in the process. Companies may also want to look through the draft invitation for preliminary comments on the other forthcoming regulations about different topics.