California Privacy Agency: CPRA Regs Not Likely Until Late 2022

Final regulations implementing the California Privacy Rights Act (CPRA) may not be issued until Q3 or Q4 2022, as reported by Executive Director Soltani of the California Privacy Protection Agency (“CalPPA”) at its February 17th Board meeting.  This means that businesses subject to CPRA will not have regulatory guidance on how to implement the CPRA until just months, or possibly weeks, before the law goes into effect on January 1, 2023, assuming the regulations are finalized before the effective date.  This is a significant departure from the CPRA’s stated timeline of July 1, 2022 for the adoption of final regulations.  While enforcement under CPRA cannot begin until July 1, 2023, and at that time enforcement can only address violations alleged to have occurred on or after that date, businesses are not well-served by the prospect of implementing the significant regulations required by the CPRA in half the statutorily allotted time.

Sidley privacy lawyer Sheri Porath Rockwell spoke to Jennifer Urban, Chairperson of the CalPPA Board, about whether the agency would consider, as a matter of policy, extending CPRA enforcement dates in light of the projected rulemaking delays.  Chairperson Urban explained that California law prohibits the agency from making such policy announcements, in contrast to federal agencies like the FTC that routinely announce “regulatory priorities.”  Rather, if the enforcement date is to be extended, it will need to be formally considered and addressed, such as through legislative action.  At the same time, Chairperson Urban (speaking in her individual capacity) expressed an appreciation and awareness of the difficulties businesses may experience when attempting to operationalize the law without more timely regulatory guidance.

The delay in issuing final regulations is attributable to several factors.  Initially, the CPRA tasked CalPPA with a challenging mission:  Build an agency from the ground up while simultaneously issuing regulations to implement a 50+ page law that addresses some of the most complex technological issues of our day.  The agency’s task is further complicated by California’s “Bagley-Keene Open Meeting Act” (“Open Meeting Act”). The Open Meeting Act requires that the five-person CalPPA Board address and discuss rule-making documentation (such as proposed and final regulations and initial and final statements of reasons) without collaborating or communicating in groups of more than two members outside of a publicly-noticed meeting.  Their approval of any such materials will also be subject to this requirement and the overall limitation on private communication extends to emails and phone calls.  The complexities presented by the Open Meeting Act did not impact rulemaking for the California Consumer Privacy Act (“CCPA”) because the California Office of the Attorney General is not subject to this law.

While the Open Meeting Act’s emphasis on transparency over efficiency complicates efforts to operationalize CPRA compliance, the public nature of deliberations could provide practitioners with more insights into how the Board views complex issues. These insights may prove helpful when assessing compliance priorities and risks.

Below we provide a detailed summary of the timeline outlined by the CalPPA Executive Director Soltani during the February 17th Board meeting:

  • Mid-to-Late March 2022 – Subject Matter Experts: Agency to invite experts and academics to provide the Board with background information about issues, including technical issues, that are in scope for rulemaking.  For example, experts on global opt-out technologies may describe the technology and summarize different tools that are available.
  • April 2022 – Stakeholder Meetings: Public stakeholder meetings will be conducted to solicit pre-rulemaking comments that will inform rulemaking.
  • Q2 2022 – Initial Proposed Regulations: Executive Director Soltani estimated that initial draft regulations would be provided to the Board sometime in Q2 2022, but could be later.  The initial regulations will need to be approved by the CalPPA Board.
  • Potentially Q2 / Q3 2022: Notice and Comment Period: Once initial draft regulations are approved by the Board, they will be submitted to the Office of Administrative Law (OAL) which will publish them, in a process similar to publication in the Federal Register.  The 45-day notice and comment clock begins to run from the date of publication.  If CalPPA decides to modify regulations in response to comments received, it will trigger another notice and comment period of either 45 days or 15 days, depending upon the nature of the changes.  CalPPA will need to summarize and respond to all comments received during the notice and comment periods in the Final Statement of Reasons, which the Board is required to approve.
  • Potentially Q3 / Q4 2022: Review by Office of Administrative Law:  When the CalPPA Board has approved the CPRA regulations and the Final Statement of Reasons, those documents and required elements of the rulemaking process (including a financial impact assessment) will be packaged and sent to the Office of Administrative Law for approval.  The OAL has 30 working days to review the rulemaking package to determine if the agency has satisfied requirements of the California Administrative Procedure Act, including whether each proposed regulation is within the scope of the rulemaking power conferred upon the agency.  If approved, regulations are filed with the California Secretary of State and will become effective on January 1, 2023 if filed between September 1 and November 30, 2022 (or later, at the OAL’s discretion).

Unfortunately there are many variables contributing to this timeline. That said, compliance with the CPRA is still something that businesses will need to address as the year moves forward. The Sidley Privacy and Cybersecurity Team can help you operationalize CPRA compliance efforts, and we will continue to monitor and report on rulemaking developments as the CPRA rule-making process unfolds.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.