For a summary of the California Privacy Rights Act, please see our client alert here.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board voted unanimously to approve its proposed final regulations for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”). The proposed final regulations – which remain substantively unchanged from the draft regulations released in November 2022 – will now be submitted to California’s Office of Administrative Law (“OAL”) for review and approval. If OAL’s review goes as expected, the new regulations could take effect as early as April 2023.

What are the CPRA regulations?

The CPRA regulations are rules that implement, interpret, or make specific the requirements in the CPRA, for example, by clarifying information that must be included in privacy policies and contracts that businesses execute with third parties. After the California Consumer Privacy Act went into effect on January 1, 2020, the California Department of Justice (“DOJ”) issued its own set of regulations, which continue to apply until the CPRA regulations take effect.

What happens next?

Once the CPPA submits its proposed final draft of the CPRA regulations (which is expected to happen within the next two weeks), the OAL will have 30 business days to review and approve the regulations. Assuming that the OAL review process goes as expected, the CPPA expects that the new CPRA regulations could go into effect as early as April 2023.

Separately, the CPPA announced that it was initiating the pre-rulemaking process for a second set of CPRA regulations that are expected to cover requirements around cybersecurity audits, risk assessments, and automated decision-making.

When will the CPRA be enforced?

The CPRA went into effect on January 1, 2023, and will become enforceable from July 1, 2023. However, given the CPPA’s delay in issuing the CPRA regulations, the proposed final regulations allow the CPPA to consider the amount of time between the effective date of the regulations and the timing of the potential violation of the CPRA when deciding whether to pursue an investigation.

What can you do to prepare now?

The CPPA’s decision to approve its proposed final draft of the CPRA regulations provides businesses with some long-delayed and much-anticipated clarity on their privacy compliance. Although the CPRA regulations have not yet received final approval, the OAL does not have the authority to make substantive changes to draft. As a result, the CPPA expects that the final approved version of the CPRA regulations will be nearly identical to the draft approved at the February 3, 2023, meeting.

Any business that is subject to the CPRA and that has not already done so should update its compliance programs to comply with the new requirements in the CPRA and its regulations. These efforts include conducting a gap assessment of the business’s existing CPRA compliance program, evaluating whether it engages in any specially regulated processing activities (such as “selling” or “sharing” personal information), and making any required changes to public and internal privacy notices.

How can GD help?

If you have any questions regarding this client alert or need assistance with evaluating your obligations under the CPRA, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts:

Anna Westfelt    (650) 463-5367   awestfelt@gunder.com

Cecilia Jeong      (646) 490-9094   cjeong@gunder.com

Frida Alim            (415) 801-4921   falim@gunder.com

James Gately      (617) 648-9313  jgately@gunder.com

Brian Hall            (415) 801-4898   bhall@gunder.com