CPRA Enforcement Delayed

July 14, 2023

Major privacy news always seems to drop on a holiday weekend. Leading into the U.S. Independence Day celebration, the Superior Court of California was busy hearing arguments from the California Chamber of Commerce. The Chamber successfully argued that businesses were not provided sufficient time to meet the compliance deadlines in keeping with the intent of the California Privacy Rights Act (CPRA). The CPRA statute remains in force – the Court did not grant the request to also delay statute enforcement.

 

 

Background

Comprehensive privacy rights legislation in California began with the California Consumer Protection Act (CCPA), which created a new enforcement body, the California Privacy Protection Agency (CPPA). The CPPA was tasked with creating regulations to accompany the CCPA’s amendments enacted through the California Privacy Rights Act (CPRA). The original deadline for the regulations was July 1, 2022, but due to staffing and resource limitations as the CPPA was coming into existence, the first draft of the regulations was not put forth until July 8, 2022. Allowing for the normal rulemaking process, they were finalized 8 months later, in March 2023. Had the Agency been able to comply with the July 1, 2022 target, then businesses would have had 1 year to comply ahead of the July 1, 2023 enforcement date.

 

To clarify some of these details, let’s review a quick timeline:

 

Image
ccpa_timeline.png

 

 

Impact of Delayed Enforcement

The Court has tied the enforcement delay to individual regulations as they are finalized and said that the Agency does not need to complete all rulemaking before beginning any enforcement. The CPRA outlines numerous areas for regulation (§1798.185) detailed below.

 

  1. Categories of personal and sensitive personal information
  2. Definitions of certain terms:

    • “deidentified”
    • “unique identifier”
    • “intentionally interacts”
    • “precise geolocation”
    • “specific pieces of information obtained from the consumer”
    • "law enforcement agency-approved investigation"
  3. Exemptions for complying with state or federal law, including relating to trade secrets and intellectual property rights
  4. Rules and procedures for:

    • Consumer requests to opt-out of sale or sharing
    • Business compliance with consumer’s opt-out request
    • Development and use of a uniform opt-out logo or button
  5. Monetary thresholds throughout the CPRA to reflect increases in the Consumer Price Index
  6. Details for businesses providing required notices
  7. Details for consumers or consumers’ authorized agents submitting rights requests
  8. Frequency for consumer correction requests
  9. Standard to govern business’s determination for when an access request is impossible or involves disproportionate effort
  10. Business purposes for use or combination of consumer’s information
  11. When information may be used for an own business purpose
  12. Where processing of personal data poses significant risk outline requirements for:

    • Annual cybersecurity audit
    • Risk assessment submitted to the CPPA
  13. Opt-out for automated decision-making
  14. Scope of CPPA’s audit authority
  15. Requirements and technical specifications for an opt-out preference signal and where legitimate interest of the business may govern use or disclosure of consumer’s sensitive personal information, notwithstanding consumer’s direction; and how to respond when a consumer subsequently consents
  16. Resolution of potential overlap with existing California Insurance Code
  17. Harmonization with regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms to promote clarity for consumers

 

Each of these areas has been addressed in the regulations and will be enforced beginning on March 29, 2024, EXCEPT cybersecurity audits, risk assessments and automated decision-making technology. Enforcement of any regulations in those areas cannot begin until one year after CPPA finalizes those rules.

 

The existing CCPA regulations remain in force in the meantime.

 

There is a public meeting scheduled for July 14, 2023, to discuss enforcement and other topics, as well as a closed session scheduled to examine the court’s decision.

 

 

How to Prepare?

As privacy legislation continues to be debated, there are several steps companies can take to position themselves well for the future:

 

  • Monitor and assess privacy practices against current and forthcoming state laws – CCPA is in force, and CPRA is still imminent. Virginia (January 1, 2023), Colorado (July 1, 2023) and Connecticut (July 1, 2023) are all in effect with Utah (December 31, 2023), Iowa (January 1, 2024), Indiana, Tennessee, Montana, Texas, and Oregon coming soon. (See our recent blog post here.) Ensure your company is in compliance – even if enforcement is stayed, your customers now have expectations for increased control of their personal data. Early compliance will garner goodwill and strengthen consumer confidence to deepen your relationships.
  • Incorporate industry best practices – Assess your company’s readiness against common threads across U.S. and international privacy laws. Support for the individual’s (data subject’s) privacy rights, impact assessments and applying privacy principles (such as purpose limitation, data minimization and accountability), as well as implementing Privacy by Design (ISO 31700), will put your company in a strong position to respond as more individuals realize data privacy rights and protections.
  • Start small – Don’t have a privacy function or program in place? It’s okay. There are steps to take at any point in your company’s privacy journey to increase and right-size privacy protections for the individuals whose data you collect to prepare for the next evolution of legislation – whether that be at the state, sector, national or global level.

 

If you have questions about how these developments affect your organization, please drop us a line.

 

Additional Reading:

InfographicYour Guide to Changing US Consumer Privacy Laws in 2023
BlogIndiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws
BlogIowa Enacts Comprehensive Privacy Legislation
BlogCalifornia Consumer Privacy Act … It’s Here
Jennifer Mahoney
MANAGER, DATA GOVERNANCE, PRIVACY AND PROTECTION | OPTIV
Jennifer Mahoney has 18 years’ regulatory compliance experience in both consulting and enterprise environments. Her experience ranges from small businesses to Fortune 50 corporations particularly in the technology, state and local, manufacturing and pharmaceutical verticals. Areas of expertise include the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA) / California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and many others.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.