The California Privacy Protection Agency’s (“Agency”) long-waited regulations to guide enforcement of the California Consumer Privacy Act (“CPRA”) were approved by the California Office of Administrative Law last week and are in force. These regulations offer clarity for businesses to help comply with the CPRA.
The CPRA regulations range from significant guidance in some areas, and less direction in others. For example, the regulations provide for some relief to businesses if a “disproportionate effort” of compliance to respond to an individualized request overcomes the reasonably foreseeable impact of a failure to respond to the consumer. The regulations offer some input on what the business may do in these circumstances. Other changes include how businesses can respond to consumers’ (in the employment context as employees or applicants) “requests to correct” when the correction involves sensitive information that cannot be disclosed.
But hold on another minute and it all could change as The California Chamber of Commerce filed a lawsuit to arrest any enforcement of the new regulations by the Attorney General or the Agency to give businesses at least one year to adjust practices and get into compliance with the CPRA.
As a reminder, the CPRA has been in effect since January 1, 2023, but absent an injunction, the Agency’s active enforcement starts July 1, 2023. Employers should ensure they are taking steps to comply with the CPRA by reviewing the new regulations and consulting with an attorney.
