New Calif. Privacy Law to Take Effect Jan. 1, but Final Rules Are Still Months Off
California Privacy Rights Act (CPRA) rules could take effect in April or later, said California Privacy Protection Agency Executive Director Ashkan Soltani at the agency board’s virtual meeting Friday. The law itself takes effect Jan. 1. Board member Alastair Mactaggart raised concerns about the process’ estimated length. "It's urgent that we get this stuff out to the community as soon as possible,” he said.
Privacy attorneys following the CPRA raised questions about what will be effective Jan. 1 in light of delays in making rules, which the 2020 statute originally required to be finalized by July 1 this year (see 2202280040). The CPRA, which replaces 2018's California Consumer Privacy Act (CCPA), still takes effect Jan. 1, but the rules won’t take effect until the California Office of Administrative Law (OAL) approves them, Privacy Protection Agency board Chair Jennifer Urban said Friday during a public comments round. Existing CCPA rules remain in effect until the new rules take effect, added General Counsel Philip Laird. The Privacy Protection Agency should consider making a clarifying statement so there isn’t uncertainty for attorneys advising clients, said Mactaggart. Make it clear on the CCPA website, said board member Lydia de la Torre.
Privacy Protection Agency staff doesn’t plan to recommend further changes to proposed rules, said Soltani. In comments last month on revised draft rules, businesses raised concerns that proposed rules were too restrictive, while consumer groups said they should be strengthened (see 2211220064). Agency staff completed an initial review of the comments and is preparing summaries and responses, said Soltani. Expect an updated statement of reasons in mid-January so the board can discuss rules in January or February, he said. If no changes are made, staff could submit a final rulemaking package to the Office of Administrative Law in early to mid-February, he said. OAL would then have 30 business days, or about 45 calendar days, to review rules, which could mean April approval, said Soltani: If OAL doesn’t approve rules, the Privacy Protection Agency would get 120 days to cure any problems, which could include revising regulations and seeking more comments.
The agency is nearly done staffing up its legal, policy and administrative teams, said Soltani: It hopes to complete hiring for chief information officer, budget manager and public defense deputy next month. The agency will post jobs in “coming weeks” for an assistant chief counsel and enforcement deputy director, the executive director said. “We anticipate the enforcement lead … to be one of the more difficult recruitments given the specializations required.”
The five-seat agency board had only four members at the meeting. Chris Thompson had resigned from the board to become chief of staff for Los Angeles Mayor Karen Bass (D), said Urban.
"The unknown CPRA status could make compliance more challenging since" covered organizations "will have less time to study the final regulations before enforcement begins," CompliancePoint blogged earlier this month. Latest changes to rules show that the state privacy agency "could grant organizations some wiggle room regarding the enforcement date," scheduled to begin July 1, it said.