The California Privacy Protection Agency’s announcement that rulemaking for the state’s landmark privacy law would stretch toward the year’s end—later than the original July 1 deadline for adopting final regulations—casts uncertainty on businesses’ ability to comply before the law goes into effect in 2023.
The delayed timeline puts businesses at risk of being penalized for not complying with the California Privacy Rights Act of 2020 since they would have little time to digest the regulations and incorporate them into their business plans, attorneys say.
“I’m glad to see the CPPA is taking more time rather than rush things,” said Brandon Reilly, partner at Manatt Phelps & Phillips LLP. “That said, the result is that businesses are going to be hard-pressed to conform their readiness programs to comply with that January 1 effective date.”
The CPPA didn’t respond to a request for comment. It plans to complete the rulemaking in the third of fourth quarter of 2022 and hold instructive sessions in March and stakeholder hearings in April, executive director Ashkan Soltani announced last month.
The nature of rulemaking in California, with its mandatory comment periods, makes writing and adopting regulations even in the best of circumstances a lengthy process, said Ashley Shively, partner at Holland & Knight LLP in San Francisco.
The rules for the CPRA are being written by a brand-new agency that is still being built and staffed, Shively said.
Rulemaking for the California Consumer Privacy Act of 2018 took about 10 months from when the California attorney general’s office initiated it until the regulations when into effect. The state’s updated privacy law calls for even more topics for rulemaking, Shively said.
The novelty of the agency— the first of its kind in the U.S.—makes it unsurprising that regulations are taking longer than anticipated, said Jeff Dennis, partner at Newmeyer & Dillion in Newport Beach, Calif.
“I worry that businesses will look at these regulations and the fact that they won’t come online in the summer and take that as an opportunity to slow down their compliance efforts,” Dennis said. “But businesses should get started now.”
Administrative fines can reach up to $2,500 per violation, or up to $7,500 for each intentional violation or violations involving individuals under 16.
The CPRA—which updates existing law to give consumers the right to correct their information on top of the right to ask for its deletion or opt out of its sale—calls for rulemaking in at least 22 distinct areas, including defining the scope of mandated cybersecurity audits and defining what a “business purpose” is under the law. Businesses may also be subject to required cybersecurity audits and risk assessments.
Many companies are seeking guidance related to automated decision-making, opt-out preferences for the sharing of data, and the new right to correct erroneous information, said Jeewon Serrato, partner at Baker & Hostetler LLP in San Francisco.
Implementing new rights for consumers and ensuring that technical specifications—like how a website looks and how consumers can exercise their preferences—are up-to-snuff can be complicated and costly for businesses, said Gretchen Ramos, shareholder at Greenberg Traurig LLP in San Francisco.
There’s been little specific guidance from the agency around universal opt-outs, for example, Ramos said.
California Attorney General Rob Bonta’s office has said businesses must accept such tools—which would allow users to signal their privacy preferences to multiple websites instead of doing it one by one—for opting out of the sale of personal information. But the CPPA still must spell out what the technical requirements of such a tool should look like.
“Back-end work takes time when companies need to make changes to their websites and platforms,” Ramos said. “It’s tough to build those systems when you don’t have much guidance.”
In the meantime, companies should conduct scoping and data mapping to better understand their data practices and ultimate compliance obligations, Serrato said.
“The regulations are about fine-tuning,” Serrato said. “If you don’t have those two things done, you can’t meaningfully comply with those rules.”
Despite the frustrations that may accompany delayed rulemaking, businesses have the statutory text of the CPRA to work from and shouldn’t wait until regulations are finalized to start preparing for compliance, Shively said. Regulations are necessary to clarify the nitty-gritty, but companies can still prepare more generally by, for example, updating privacy policies and conducting data mapping, she said.
“Businesses need to focus on what is known now and what can be done to prepare for CPRA and have the agility and budget in place to be ready to react as needed when the regulations come out,” Shively said.