On February 17, the California Privacy Protection Agency (CPPA) announced it will not complete its rulemaking under the California Privacy Rights Act (CPRA) until Q3 or Q4 of this year, marking a slip from its statutory deadline of July 1, 2022.

Below we outline key details around this announcement, and what it means for organizations planning for CPRA compliance throughout this year.

CPPA Background

In 2018, California became the first state in the US to sign into law a comprehensive consumer data privacy law known as the California Consumer Privacy Act (CCPA). The CCPA provides most California residents with broad rights over how their personal information is collected, used, stored, and shared by covered businesses. The CCPA, which has been in effect since January 1, 2020 and enforced by the California Attorney General (AG) since July 1, 2020, is scheduled to be amended by a new law known as the CPRA effective January 1, 2023. Under the CPRA, California residents will be granted even more rights and flexibility to control their personal information. A new enforcement agency known as the CPPA will enforce the CPRA in conjunction with the AG, and will have rulemaking authority to issue implementing regulations.

Summary of Announcement

Under the CPRA, the CPPA must complete its rulemaking under the CPRA no later than July 1, 2022 and begin enforcing the CPRA no earlier than July 1, 2023. On February 17, 2022, however, the CPPA announced during a public hearing on the CPRA that the agency’s rulemaking process will not be complete until Q3 or Q4 of this year. This slip in the timeline, according to the CPPA’s Executive Director, is the result of a need for additional staffing and the need to hold public hearings on a range of complex regulatory topics.

The CPPA also announced that the preliminary public hearings are expected to consist of instructive hearings hearings with subject matter experts and stakeholder hearings. The CPPA received a set of public comments in response to its September 21 Invitation for Preliminary Comments. The instructive hearings are being scheduled for mid to late March. The stakeholder hearings are being scheduled for April. The format of the hearings is likely to be remote. Formal rulemaking will likely begin in April when rulemaking authority under the CPRA transfers to the CPPA.

It remains an open question as to whether the statutory effective date (January 1, 2023) or the enforcement date (July 1, 2023) will be amended as a result of this shift in schedule. In the meantime, covered organizations on the CPRA should begin preparing for compliance now as the regulatory landscape under the CPPA begins to take shape in Q2, Q3, and Q4 of this year.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

Full bio

RELATED POSTS