California data privacy officials just cleared the way for key regulations to take effect as soon as this April – which means the time is now for businesses located both in and out of the state to take seriously your efforts to get into compliance with the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency also voted at its February 3 meeting to set the wheels in motion to issue another round of CCPA regulations, this time on risk assessments, cybersecurity audits, and automated decision-making. What do businesses working towards CCPA compliance need to know about the agency’s most recent votes – and what should you do?
What You Can Do To Prepare
Currently, the agency has authority to start CCPA enforcement on July 1. The California Attorney General also has enforcement authority and continues to enforce the statute, but it is unclear whether the Attorney General will seek to enforce the California Privacy Rights Act amendments to the CCPA (which took effect January 1, 2023) prior to July 1 – especially if the regulations come in line before that date.
Given the fact that last week’s vote by the Agency Board means that the regulations could come into effect as soon as April, here are your next steps:
- For those portions of the CCPA that have been in effect since January 2020, it is important that you ensure you are compliant. Topics that have been high-priority issues for the California Attorney General include non-compliant notices or privacy policies, loyalty programs, opting-out of the sale of personal information, and global privacy controls.
- If you have focused on facial compliance but have been dilatory in those aspects which are not public-facing or consumer-facing, the agency will have audit authority – which means it can look at those aspects of compliance which are not visible to the public. To that end, you should ensure you have CCPA-compliant contracts in place with your service providers and contractors, completed your data inventory (and updated your notices and privacy policies if necessary), and implemented data minimization standards. Some of these tasks will take time, so you should start on them sooner rather than later.
- If you have delayed CCPA updates while waiting for the regulations to get finalized, delay no longer! While it is possible that some or all of the regulations may be delayed, relying on that potentiality is asking for trouble. Moreover, the California Privacy Rights Act has gone into effect regardless of whether the regulations are finalized.
- If you aren’t sure where to start, we recommend you visit our CCPA Resource Center. It can take the average business three to six months to do everything required to ensure compliance. That’s why we’ve has created a menu of flat-fee starter kits, templates, packets, and other resources to help you jumpstart the process. Our knowledgeable team is ready to help you navigate all of it and tailor the requisite forms, notices, and policies to fit your business.
Current Rulemaking’s End is Finally in Sight
At its February 3 meeting, the Agency’s General Counsel was careful to explain there is no guarantee the regulations will be approved in the first go. After it submits the final rulemaking package in the next two weeks or so, the Office of Administrative Law (OAL) will then have 30 business days to ensure the agency complied with rulemaking requirements. The OAL will then either approve and file the proposed regulations with the California Secretary of State or disapprove the rulemaking action.
The OAL may also identify issues which require revisions. Depending on the nature of such issues, they may be quickly resolved during the 30-business day review. But if they cannot be addressed without further action from the agency, some or all of the regulations may need to return back for further rulemaking (including notice and a public comment period).
Given this framework, we anticipate an April 2023 effective date of the final rules – assuming all goes smoothly with the review process. You cannot rely on the possibility that this timetable could be derailed, however. You should operate under the assumption that you will soon be subject to the regulations as currently developed.
Additional Rulemaking on the Horizon
While this round of rulemaking is winding down, the work on the next set of regulations is gearing up. The Agency Board approved proposed preliminary rulemaking questions for the public to weigh in on addressing cybersecurity audits, risk assessments, and automated decision-making. Once these questions are officially published, the public will have 45 days to weigh in.
Those three topics will not be the only topics addressed in future rulemaking. In various meetings while drafting the current set of regulations, the Board identified other topics it would like to address and received public comments regarding other topics as well. Additionally, the Board recognized that the current proposed regulations are imperfect and contemplated returning to some of the rules in the future for revision.
One topic of interest to employers is how any of the CCPA regulations will apply in the employment context. In the absence of employment-specific regulations, guidelines, or FAQs, employers find themselves having to interpret and apply rules that are written for (and make better sense in) more typical customer or consumer interactions. However, the Agency gave no indication as to whether this would be addressed in future rulemaking.
Long-term, businesses should be aware that more regulations are coming down the pipeline. There is nothing businesses can do right now to prepare, but it is something to plan and budget for in the future. As the process of getting the current draft regulations this far has shown, it will be a slow-moving process – but it will happen.