Businesses Struggle to Comply with CPRA without Final Regulations

As companies hustle to follow the new California Privacy Rights Act (CPRA) regulations, they’ve hit a substantial hiccup: there aren’t any yet. The California Privacy Rights Agency (CPPA), the newly- created body with administrative authority over the CPRA’s implementation, has yet to release its finalized regulations. The CPRA takes effect on January 1, 2023, and covered businesses are in the final stretch of completing their compliance programs.

The CPPA has released two draft proposals so far, and the most recent draft is in a public consultation period until November 21, 2022. To make matters even more opaque, the CPPA removed several requirements from the first draft to “simplify implementation at this time,” leaving businesses guessing as to which conditions they will eventually need to follow. Many of these proposed rules define technical requirements for websites and mobile applications, so companies will need a runway to achieve a seamless implementation. Luckily, the CPPA has signaled that it will give businesses a soft grace period before pursuing significant enforcement actions. The CPPA’s most recent draft proposal says that it may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” Responsible businesses, though, should proceed as if the most recent draft regulations are the law and plan to update once the final draft is released. Otherwise, they might find themselves scrambling to push out complicated technical updates against the January 1, 2023 deadline.