Calling All Doing Business with / Employing California Residents: California Privacy Rule Soon to See Enforcement & New Regulations

Originally published by Fisher Phillips, a Leavitt Group partner for compliance. Authors: Darcey M. Groden, CIPP/US, Associate, Fisher Phillips & Usama Kahf, CIPP/US Partner, Fisher Phillips. Republished with permission. Some content and revisions by Leavitt Group.

Proposed CCPA Regulations Set to Take Effect As Soon as April

The Time to Get Into Compliance is Now

California data privacy officials just cleared the way for key regulations to take effect as soon as this April – which means the time is now for businesses located in and out of California to finalize changes to privacy policies in time for go-time compliance with the California Consumer Privacy Act (CCPA). See the prior Leavitt Group article “California Consumer Privacy Act (CCPA) Covered Businesses Must Disclose Most Inferences Drawn from Consumers’ Personal Information”. The California Privacy Protection Agency (the “Agency”) also voted at its February 3 meeting to set the wheels in motion to issue another round of CCPA regulations, this time on risk assessments, cybersecurity audits, and automated decision-making. What do businesses working towards CCPA compliance need to know about the agency’s most recent votes – and what should you do?

What You Can Do To Prepare

The agency has authority to start CCPA enforcement on July 1. The California Attorney General also has enforcement authority and continues to enforce the statute, but it is unclear whether the Attorney General will seek to enforce the California Privacy Rights Act amendments to the CCPA (which took effect January 1, 2023) prior to July 1 – especially if the regulations come in line before that date.

Given the fact that the latest vote by the Agency Board indicates that it is likely that the latest regulations could come into effect as soon as April, here are the steps companies doing business with California residents should consider now:

Be sure you have in place provisions for at least the 2020 CCPA regulations that will see enforcement July 1st.
- For those portions of the CCPA that have been in effect since January 2020, it is important that you ensure you are compliant.
- Topics that have been high-priority issues for the California Attorney General include non-compliant notices, absent or insufficient privacy policies, loyalty programs, opting-out of the sale of personal information, and global privacy controls.
Don’t forget the back-of-the-house compliance.
- If you have focused on the compliance that is visible to the public or consumers, be sure you get your back-of-the-house in order now.
- The agency will have audit authority – which means it can look at those aspects of compliance which are not visible to the public.
- Also ensure you have CCPA-compliant contracts in place with your service providers and contractors, completed your data inventory (and updated your notices and privacy policies if necessary), and implemented data minimization standards. Some of these tasks will take time, so you should start on them sooner rather than later.
If you have delayed CCPA updates while waiting for the regulations to get finalized, delay no longer!
- While it is possible that some or all of the regulations may be delayed, relying on that potentiality is asking for trouble. Moreover, the California Privacy Rights Act has gone into effect regardless of whether the regulations are finalized.
If you aren’t sure where to start, we recommend you work an employment attorney like the Leavitt Group preferred partner for employment law, Fisher Phillips. It can take the average business three to six months to do everything required to ensure compliance. That’s why we’ve partnered with Fisher Phillips who can provide employers a menu of flat-fee starter kits, templates, packets, and other resources to help you jumpstart the process. Let your Leavitt Group representative know and we can connect you.

Current Rulemaking’s End is Finally in Sight

At its February 3 meeting, the Agency’s General Counsel was careful to explain there is no guarantee the regulations will be approved in the first go. After it submits the final rulemaking package in the next two weeks or so, the Office of Administrative Law (OAL) will then have 30 business days to ensure the agency complied with rulemaking requirements. The OAL will then either approve and file the proposed regulations with the California Secretary of State or disapprove the rulemaking action.

The OAL may also identify issues which require revisions. Depending on the nature of such issues, they may be quickly resolved during the 30-business day review. But if they cannot be addressed without further action from the agency, some or all of the regulations may need to return back for further rulemaking (including notice and a public comment period).

Given this framework, we anticipate an April 2023 effective date of the final rules – assuming all goes smoothly with the review process. You cannot rely on the possibility that this timetable could be derailed, however. You should operate under the assumption that you will soon be subject to the regulations as currently developed.

Additional Rulemaking on the Horizon

While this round of rulemaking is winding down, the work on the next set of regulations is gearing up. The Agency Board approved proposed preliminary rulemaking questions for the public to weigh in on addressing cybersecurity audits, risk assessments, and automated decision-making. Once these questions are officially published, the public will have 45 days to weigh in.

Those three topics will not be the only topics addressed in future rulemaking. In various meetings while drafting the current set of regulations, the Board identified other topics it would like to address and received public comments regarding other topics as well. Additionally, the Board recognized that the current proposed regulations are imperfect and contemplated returning to some of the rules in the future for revision.

One topic of interest to employers is how any of the CCPA regulations will apply in the employment context. In the absence of employment-specific regulations, guidelines, or FAQs, employers find themselves having to interpret and apply rules that are written for (and make better sense in) more typical customer or consumer interactions. However, the Agency gave no indication as to whether this would be addressed in future rulemaking.

Long-term, businesses should be aware that more regulations are coming down the pipeline. There is nothing businesses can do right now to prepare, but it is something to plan and budget for in the future. As the process of getting the current draft regulations this far has shown, it will be a slow-moving process – but it will happen.

Conclusion

Companies with a national presence should not be unfamiliar with the challenges that come with varied rules across the states. They would also know that the Colorado Privacy Act that predates CCPA has influenced how the California Data Privacy Protection Agency shaped the California rules. See the prior Leavitt Group article “Increase in Cyber-Attacks Leads to Influx of New Privacy Data Breach Reporting Obligations” for additional updates on privacy breach reporting laws.

In this ever-changing environment, be sure to partner with experts who can help you navigate these more complex rules. Leavitt Group is your trusted advisor and partners with experts like Fisher Phillips who can provide robust resources and consultation. We will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to news.leavitt.com to get the most up-to-date information direct to your inbox. For further information and support, contact your Leavitt Group representative who can connect you with a Fisher Phillips attorney and their Consumer Privacy Team. You can also visit the Fisher Phillips CCPA Resource Center at any time.