California: 2022 CPRA updates and key dates for businesses
On 28 June 2019 the California Consumer Privacy Act of 2018 ('CCPA') was signed into law and later entered into effect on 1 January 2020. Subsequently, on 3 November 2020, the California Privacy Rights Act of 2020 ('CPRA') was passed, stipulating several amendments to be made to the CCPA, with an operative date of 1 January 2023, though many of its provisions will be applicable to personal information collected from 1 January 2022. OneTrust DataGuidance highlights some of the key updates surrounding the CPRA, and outlines some key dates for businesses to have in mind.
Recent CPRA updates
Since the passing of the CPRA, businesses have had some time to consider its provisions and think about what they need to be doing to prepare for its operative date. We also saw other key developments, for example with the appointment of the California Privacy Protection Agency ('CPPA') Executive Director, Ashkan Soltani, on 4 October 2021, and several meetings of the CPPA Board were held on a range of topics. Most recently, the CPPA Board initiated a public consultation on 22 September 2021 on proposed rulemaking under the CPRA, which ended on 8 November 2021, and the results of the public consultation were released on 13 December 2021. The topics discussed in the consultation included:
- processing posing significant risks to consumers;
- automated decisionmaking;
- audits by the CPPA Board;
- matters around consumer rights;
- information to be provided in response to a consumer request to know; and
- matters around definitions and categories of information and activities.
Extended timeline for CPRA rulemaking
In this respect, the CPPA Board was initially expected to release new regulations by July 2022. However, the CPPA Board met on 17 February 2022 to discuss additional matters, and this July 2022 date has been pushed back to later in 2022. On this matter, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, stated that "the announcements said Q3 or Q4 [of 2022] which would leave companies with not much time to implement any new information or recommendations promulgated". With this in mind, albeit some additional time in place before these CPRA regulations are released, Kagan gave some insight into what businesses can be doing to prepare while they wait, noting that they should "look at the provisions of the law itself, coupled with knowledge of how these things are implemented in other jurisdictions, for example under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and use that to formulate a risk mitigation strategy".
CPRA and employee data
One notable aspect of the CPRA that has been widely discussed is the application of its provisions to employee data. Currently, there is a moratorium on the provisions of the CCPA in its applicability to employee data, although this is set to expire in 2023, at which point the new provisions of the CPRA would be applicable to personal information collected in the employment context by organisations. Nevertheless, there are certain considerations that businesses should be making, with some discussion around these dates that may prove relevant. As a further explanation, Kagan outlined that "unless anything changes, the employee data carve out will phase out on 1 January 2023. There are bills suggesting to change this, but with them [there are] already statements from plaintiff's attorneys [stating] that they will challenge this amendment as not being in line with the limitations on amending the CPRA (due to the fact that it was passed as a ballot initiative)".
Kagan went on to detail some considerations to be made, noting that "[b]usinesses would do well to prepare for this change as it may require a lot of organisational heavy lifting – Do you know where all your employee data is? Are all the service providers involved ready to provide you with the data? What about the habits of your HR teams – is there content/comments in the HR files that would be better not to include and require a process change?".
Thus, with the shortening timeline for businesses to prepare, while still awaiting additional new regulations on the CPRA and simultaneously considering the applicability of provisions to employee data and what that will look like, there is still quite some work to be done. In this regard, Kagan stated that "the CPRA is going into effect in 2023. Shockingly, it's already March of 2022. Businesses should make an action itemised prioritised list of CPRA priorities and start working through them… now!".
With some general best practices to have in mind to do this, Kagan noted that it is important for companies to prioritise, and to do so while keeping in mind the "nature of the data" and to "start with the more sensitive and numerous first, with the more consumer facing first and with the processes that would take the longest first. [Businesses should m]ake a plan and start working through it consistently".
What will be left is to now await further discussions from the CPPA on CPRA rulemaking, with meetings expected to be held in later months, and the new CPRA regulations being highly anticipated in the final two quarters of 2022.
Iana Gaytandjieva, Lead Privacy Analyst
Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy
Fox Rothschild LLP, Philadelphia