California Privacy Protection Agency Director Ashkan Soltani recently announced that long-awaited regulations related to the California Privacy Rights Act (CPRA) would be delayed. The agency initially scheduled a July 1 deadline to promulgate regulations and allow companies time to comply with the CPRA, which is set to be enforced beginning July 1, 2023. However, Director Soltani recently announced that rules will not be promulgated until Q3 or Q4 of 2022. In a recent public meeting, he stated: “Formal proceedings, including public hearings, will continue into Q3 with rulemaking being completed in Q3 or Q4. While this puts us somewhat past the July 1 rulemaking schedule in the statute, it allows us to balance staffing of the agency while undertaking substantial information gathering to support our rules.”
While neither Director Soltani nor the CPPA offered an explanation, there already were hints that the agency would miss the rulemaking deadline. In the September 2021 meeting, the CPPA board discussed potential remedies for a missed deadline. These included a formal extension, enactment of temporary or “emergency” regulations, or adding compliance grace periods. This is not the first time that privacy regulations have been delayed in California. In 2020, the California attorney general’s office went past its deadline to adopt regulations for the California Consumer Privacy Act (CCPA). Those regulations took effect more than a month later, and the attorney general opted against delaying enforcement.
In remarks with the California Lawyers Association in October 2021, CPPA Board Chair Jennifer Urban spoke on her own behalf and addressed the many logistical and legal impediments in getting the new administrative agency up and running in time to develop and adopt regulations by the deadline. The many challenges include hiring, rulemaking under California’s Open Meetings Act, and the capacity of the board to undertake the many efforts needed to position the administrative agency to begin enforcement. Further complicating the CPPA’s efforts is the obligation to develop a significant volume of unprecedented rules governing issues, such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. These rules are expected to double the existing body of regulations under the CCPA.
Urban appears to be considering various options for extending the “particularly aggressive” CPRA statutory deadline for adopting final regulations. One potential option would be “extending when we might begin enforcing [the regulations] … so people have time to understand and implement the regulations.” As an administrative agency, CPPA will have discretion regarding the timing of initiating investigations, holding hearings, and issuing administrative orders. Urban noted that the agency will actively receive counsel on all of its options for a potential extension if necessary. The precise timeline to adopt final regulations is murky, but one thing is clear, companies may find it challenging to comply with potentially significant compliance obligations without the benefit of additional regulatory guidance.
While the regulations will not be promulgated by July 1, companies can still undertake steps to prepare for compliance, such as undertaking a review of current privacy policies and practices and aligning them with CPRA statutory language requirements. Companies may choose to engage in the agency’s rulemaking by attending upcoming informational hearings when announced, which also may shed light on what is to come out of the regulations.
At Troutman Pepper, we understand the complexities of information technology and how it intersects with the changing regulatory landscape. Our team is dedicated to breaking down complex legal issues and providing guidance that the business and information technology/security can understand. As it relates to the CPRA, Troutman Pepper issued a compendium on the CPRA, which provides an overview of the operational impact of the CPRA on existing CCPA compliance frameworks. It focuses on issues, including notable updates to existing definitions, the addition of new consumer rights, modifications to existing CCPA rights, and newly introduced concepts (at least for the CCPA), such as data minimization and limitations on the use of “sensitive personal information.” Readers can access Troutman Pepper CCPA-related articles and resources by clicking here.
 It is worth noting that the California attorney general’s office was not subject to the same open meeting requirements as the CPPA, and the rulemaking process was much more efficient as a result. Even so, meeting the aggressive deadline proved challenging in 2020.