California Consumer Protection Act

Regulatory/Compliance Issues

• Regulations to implement the California Privacy Rights Act (CPRA) are delayed and it is unclear when the final regulations will be adopted, in part or in full.

• Delay in regulations hurts businesses and consumers alike, making it harder to effectuate the CPRA rights in a timely and cost-efficient manner and deliver the benefits of those rights to consumers, as required as of last January 1.

• The California Chamber of Commerce will continue to participate fully in regulatory activities while also opposing and highlighting efforts of the California Privacy Protection Agency (CPPA) that exceed its statutory authority.

• The CalChamber supports efforts to provide businesses additional time to come into compliance and a longer moratorium against enforcement actions by both the CPPA and the Office of the Attorney General, given the agency’s delays.

Background

When voters approved Proposition 24 in 2020, enacting the California Privacy Rights Act (CPRA) effective January 1, 2023, they also established a brand-new privacy agency (the CPPA) and mandated that the agency adopt implementing regulations for the CPRA. Specifically, the voter-approved law provided businesses six months between the date that final regulations were due from the agency (July 1, 2022) and the date the CPRA takes effect (January 1, 2023) to ramp up and prepare for full implementation of the law, and an additional six months from the effective date and one year from the regulations being adopted to work out any compliance issues prior to enforcement actions commencing.

These regulations are integral to business compliance. They directly affect businesses’ ability to operationalize the CPRA correctly, and in a privacy protective manner, as approved by voters.

As of the end of December 2022, those regulations have not yet been adopted by the agency. The regulations remain in draft form, and it is unclear when they will be finalized and whether additional CPRA regulatory packages still are anticipated.

What is clear is that the regulations: (1) will not take effect before January 1, 2023, even though businesses are legally required to be fully compliant with the law; and (2) will be incomplete (draft regulations have not addressed topics such as risk assessments, automated decision making, and more). This is not merely a case of dilatory rulemaking — it has created an untenable position for businesses attempting to comply with the law. For example, businesses will be subject to a requirement to conduct audits under the CPRA, without any information as to what those audits need to include to be compliant. Although enforcement cannot commence until July 1, 2023, it is possible that these regulations will not be in place by the time enforcement commences or will be finalized so late that businesses will have little time to implement the rules.

Further, with the expiration of the employee and business-to-business exemptions, the lack of any regulations on applying the CPRA to the employment context will make it impossible for businesses to comply with the law, regardless of effort.

The absence of regulations in place as of the effective date of the act requires businesses to waste critical resources, dedicating personnel, time and cost to implementing the law based on the business’s best interpretation, leaving the business at risk of needing to make potentially significant and costly changes immediately when the final regulations are adopted. Finally, businesses inevitably will be held accountable for errors that could have been avoided if regulations had been in place on time and as required by voters.

The CalChamber has been and will continue to be an active participant in all rulemaking activities of the California Privacy Protection Agency. The CalChamber provided written comments during both rounds of public comments thus far and plans to provide written public comment on future draft regulations, with an overarching goal of identifying any operational issues, unintended consequences to either businesses or the customers they serve, and/or any regulations that exceed the CPPA’s authority or requirements that otherwise should be reserved for legislative action. The CalChamber endeavors to keep the Legislature and key policy committees (Assembly Privacy and Consumer Protection Committee and Senate Judiciary Committee) apprised on both the agency’s progress and the CalChamber’s regulatory priorities/concerns as the regulatory effort moves forward.

CalChamber Position

The CalChamber strongly supports greater legislative oversight over the current rulemaking process and would support legislation that is both privacy protective (by ensuring regulations are not rushed which will inevitably lead to unintended consequences) and realistic in setting compliance expectations that consumers and businesses can rely upon (by adjusting compliance and enforcement deadlines such that businesses can operationalize the law correctly). The CalChamber also supports legislative or executive efforts that will help avoid any potential unintended harms of allowing the employee and business-to-business sunsets to lapse.

The CalChamber opposes regulations that conflict or otherwise go beyond the scope of the California Privacy Protection Agency’s statutory authority, including on topics such as the optional global opt-out preference signal. The CalChamber also opposes regulations that either would create compliance issues or undermine consumer privacy when operationalized; implement vague standards that add to confusion/lack of clarity; or otherwise conflict with other important public policy goals.

To reduce compliance burdens, the CalChamber generally supports regulations that reduce operational challenges or which harmonize with other states’ laws and regulations.

January 2023