On January 1, 2023 CCPA gave way to the amended and expanded CPRA to regulate data privacy for US companies that buy, sell, or share the personal information of 100,000+ California consumers or households or meet other criteria. However, uncertainty remains as rulemaking by the California Privacy Protection Agency is still up in the air, and companies are faced with determining which requirements need to be met now, as we await more information.
While the CPPA has an informal rulemaking extension in place that could leave clearer information as far out as April, enforcement for certain requirements may come to fruition sooner than later.
What Do You Need to Do Now?
While the CPPA is still considering certain rulemaking initiatives and public comments, certain requirements should be adhered to now as we wait for further information. Based on carry-over from CCPA, these requirements remain in place and noncompliance could result in immediate enforcement:
Do Not Sell
On their website, businesses must include a prominent “Do Not Sell My Personal Information” link where you can make an opt-out request. Businesses cannot demand that you register for an account before submitting a request.
Companies in scope must ensure their website respects the GPC signal from consumers.
Companies should update their privacy policies to reflect compliance with CPRA as soon as possible. It’s one of the most prominent ways to publicize noncompliance.
In the meantime, which CPRA requirements will have additional compliance time as the CPPA is still in a holding pattern? The new requirements for opt-out and employment data likely won’t be enforced until final rulemaking is released and more clarity is provided. That being said, enforcement by a specified agency is a new frontier for US privacy and by paving its own path, the CPPA could start enforcing now but it seems unlikely.
While Truyo’s recommendation is to meet all compliance requirements as soon as possible, if your company is unable to meet all new CPRA requirements at this time, you should certainly focus on the ones already covered by CCPA, no longer under a 30-day cure period which lapsed with the sunset of CCPA.