During a public board meeting on February 17, 2022, the California Privacy Protection Agency (CPPA) indicated it would likely miss the July 1, 2022 deadline for the finalized draft of the CPRA. The delay is due to more time and resources required to receive and process public comments. The CPPA projects that it will release the final regulations by the third or fourth quarter of 2022.
The delay deprives businesses of the built-in six-month time frame before the act's January 1, 2023 effective date. There is no guarantee of an extension. Organizations subject to the CPRA should implement and test the necessary procedures to meet the 2023 compliance deadline.
Ashkan Soltani, Executive Director, California Privacy Protection Agency, commented on the CPRA rulemaking process, informational hearings and timeline. According to Soltani, "our statute directs us to perform three core functions, rulemaking, enforcement and public awareness." On October 21 of last year, the CPPA gave notice to the California Attorney General that they are prepared to assume rulemaking.
There will be a set of informational hearings in March. The CPPA is in the process of organizing a set of informative sessions inviting experts and academics to help inform the agency on questions related to the topics they're exploring. The final hearing dates are still being scheduled but likely mid to late March.
There will be a set of preliminary review sessions to receive further input. The CPPA plans to announce a process for stakeholders to sign up and participate in advance of those sessions.
The actual rulemaking process itself is still being defined.
Mr. Soltani commented, "We're building the car while we drive it." Formal proceedings, including public hearings, will continue into Q3, with rulemaking completed in Q3 or Q4. He mentioned that the current budget request includes hiring 54 new staff members. While this timeline does put us past the July 1 rulemaking schedule in statute, it allows us to balance staffing the agency with 54 budgeted positions while undertaking substantial preliminary information gathering.
There were several questions from attendees regarding the format of public meetings. Will they be virtual meetings or actual on-location meetings, or hybrids? How will the experts and academics be chosen for the March meeting? There was concern that the diminishing implementation window won't allow enough prep time for businesses to prepare. There are concerns over the cost of compliance, especially for small businesses impacted by CPRA.
Mr. Soltani acknowledged the timeline pressure but said there is no plan to move the January 1, 2023 compliance deadline.
While the CPRA timeline specifics are in flux, the overall compliance requirements remain. Therefore, businesses should continue to prepare ahead of time for a smooth transition and minimal disruption.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations to which businesses may be subjected.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.