One of the most notable changes as California shifts its data privacy regulations from the CCPA to the CPRA is the creation of a separate governing body, the California Privacy Protection Agency (CPPA).
The CPPA has been integral to the drafting and implementation process of the new CPRA, but the agency has made modifications to the bill's text twice now this fall, once in October and again in November.
While the January 1, 2023 date of effect remains for the CPRA, these recent tweaks to the bill mean that businesses likely will not receive finalized rules until sometime between January 1 and July 1, the currently proposed date of enforcement.
Businesses should still make every effort to be compliant with changes by January 1, with the recent modifications even possibly having made compliance easier.
The CPPA has published a helpful 16-page chart highlighting the changes and reasons for them.
Here are the highlights:
- Unstructured data is now defined as "that which cannot be retrieved or organized in a pre-defined manner without 'disproportionate effort' on behalf of the business, service provider, contractor, or third party."
- Businesses no longer have to identify the names of the third parties that control the collection of personal information in their Notice at Collection.
- Businesses, service providers, and contractors can delay compliance with requests to correct for information stored on archived backup systems.
- Businesses no longer will be required to display the status of a consumer's choice to opt out of the selling or sharing of their personal information.
- The CPPA will consider the timing of any violations as well as good faith measures to comply when assessing 2023 violations.