California Businesses Start 2023 with CPRA Requirements without Official Regulations

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process [view related post]. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance with and implementation of the proposed regulations. While much of the draft regulations is likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as the IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.)

Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.