California’s beefed-up privacy law arrives in less than a month, yet few observers expect all the necessary rulemaking to be done by January. That’s putting businesses in unclear territory on how to navigate compliance.
“There’s still a lot that our clients are waiting for,” said Cassandra Gaedt-Sheckter, a privacy attorney at Gibson, Dunn & Crutcher LLP. “But as they’re moving into the new year, I think companies are really just attempting to comply with what they understand at this point.”
There’s no clear timeline on when all the rules will be finalized. An initial portion of the new regulations is still in the works, and other topics in the law have yet to be addressed.
Enforcement of the new law is scheduled to begin July, but companies still need to comply when the law takes effect next month.
State voters approved the California Privacy Rights Act in 2020. It expands consumer rights regarding how companies collect and use personal information. It amends and updates the the state’s current framework, the California Consumer Privacy Act, the nation’s first comprehensive privacy law.
Delayed Timeline
Rulemaking delays have happened before. When the CCPA was being put into place, the attorney general’s office also missed the deadline to implement underlying regulations. Final regulations went online August 2020 anyway, a bit later than the statute-imposed July 2020 deadline.
“I don’t think the sky is necessarily falling if all the regulations aren’t in place by January 1, and they’re not going to be,” said one privacy advocate.
The lack of final rules leaves businesses figuring for themselves on how to best comply with the law. When the finalized version eventually come outs, companies may have little time to adjust.
The California Privacy Protection Agency acknowledged that uncertainty in its most recent draft of the rules. When investigating a violation of state privacy law, the agency said it could consider the time between the effective date of the requirement and when the violation occurred.
“Good faith efforts” to comply can also be considered, the draft rules said.
But the California Chamber of Commerce, in a comment shared with Bloomberg Law, said those assurances aren’t enough. Enforcement should be pushed back to one year after regulations are in effect, the group argued.
Backers of the privacy law don’t want any enforcement delay, however.
“Businesses have had since November 2020 to realize that the landscape has changed permanently around the personal information economy in California,” said Alastair Mactaggart, chair of Californians for Consumer Privacy and a member of the CPPA, in a past comment. “It is highly disingenuous for them to argue now that because they don’t know the exact language the regulations will take, they cannot comply with CPRA next year.”
Work in Progress
As of early December, the agency is still working on regulations implementing some of the basics of the CPRA into current privacy rules, such as adding a consumer right to correct personal information or outlining new obligations between businesses and their third parties. A second round of public comment on those changes ended last month.
There have been no draft regulations on other important topics mentioned in the CPRA. An agency meeting Dec. 16 will begin that process. Items that companies and advocates want guidance on include:
- Privacy rights for workers, which come online Jan. 1, will fundamentally change how employers collect and store employee data.
- Similarly, privacy rules will also start applying to business-to-business interactions on Jan. 1.
- Risk assessments, in which a company will have to determine which and how much data processing activities pose a risk to privacy rights. Companies will also have to conduct annual cybersecurity audits.
- The use of automated decision making, or AI, in collecting and using personal information.
For the time being, businesses should follow as best they can the California Privacy Rights Act and any draft regulations that exist, said Gaedt-Sheckter. They’ll probably need to adjust when final rules come out.
Consumers’ privacy rules have more clarity because they’re already outlined in the first state privacy law, said Susan Kohn Ross, who chairs the privacy practice for Mitchell Silberberg & Knupp LLP. Trying to comply with draft regulations may not make sense as long as businesses are following the other set of rules. It can cost money if the final regulations end up being different.
“That’s the guidepost until something changes,” said Ross, referring to the current California Consumer Privacy Act. “We don’t know what those final regulations are going to look like. And until we see them, there’s no telling what the changes are that companies might need to undergo.”
To contact the reporter on this story:
To contact the editors responsible for this story: