If you’re a business subject to the California Privacy Rights Act (CPRA), the last few months have been incredibly frustrating.
First, the law went into effect January 1, 2023 — but with no regulations or even an FAQ from the California Privacy Protection Agency (CPPA) for guidance. The final regulations were approved nine months late, in March 2023. Even though the CPRA includes an enforcement delay until July 1, 2023, the late regulations meant that covered businesses would barely have three months to assess the regulations and get in compliance.
Worse, the regulations are incredibly complex and far from straightforward. They also provide almost no helpful information regarding the application of the CPRA to personal information collected in the employment context.
This is all starting to seem pretty unfair, right?
Fortunately, CalChamber swooped in with a request for an injunction to delay enforcement of the regulations. The Sacramento Superior Court agreed with CalChamber’s concerns, and held that the regulations will not be enforceable for one year from enactment, or March 29, 2024. Any additional regulations the CPPA is working on also will be subject to a one-year delay of enforceability.
Of course, this does not mean that the CPRA itself is suspended. The law is still in effect and enforceable as of July 1, 2023. You still need to do your best to ensure you have compliant privacy policies and notices. However, the requirements in the law are far less detailed and complex than those in the regulations, so the delay gives businesses some breathing room to assess those regulatory requirements. And, maybe the CPPA will give us a break and offer some practical guidance in the interim. Fingers crossed.
For now, we’re assisting clients in preparing their Notices at Collection for employees and applicants. Contact us for a detailed packet to help you jumpstart your compliance efforts.