April is the earliest regulations will be done.
New California Privacy Protection Board Member Alastair Mactaggart.
California's first-in-the nation data privacy law takes effect in less than two weeks, but without final regulations in place.
The California Privacy Protection Agency, tasked with drawing up and enforcing regulations for the amended California Consumer Privacy Act, said during its Dec. 16 meeting that regulations won't be final until April, at the earliest. And that's if everything goes according to plan.
The board didn’t give a reason for the delay, but said it still wants to submit the board's reasons for why it did or didn't make any further changes to the regulations, as well as release 500 pages of public comments. It will then convene and send the final rule package to the Office of Administrative Law (OAL) for approval by the end of January or early February.
“OAL will have 30 days to review, meaning that if approved, the soonest the regulations could be in effect is in April,” said Ashkan Soltani, the privacy board’s executive director.
When asked about confusion over the compliance date of the law during public comment, board Chairperson Jennifer Urban said the law’s statute is effective Jan. 1, and that, “The proposed regulations will go into effect when they are approved.”
New privacy board member Alastair Mactaggart, who spurred the privacy law’s amendment in 2020, highlighted the urgency for regulation approval.
“It’s good for the industry, for the community, for advocates, for everybody to know what’s coming down the pike,” said Mactaggart.
The CCPA is intended to have the strongest privacy protections in the country, designed to give people unprecedented control over their personal data. The updated law empowers people with an elemental right: to stop companies from abusing your personal information. Starting next year, a business must comply with consumer requests to correct inaccurate information that they have about you. Further, sensitive personal information, such as your social security number or precise geolocation data, can only be used for specific purposes related to a service. Data while browsing is sold to third parties in seconds. As Consumer Watchdog recently highlighted in a new report, a person’s browsing habits are sold about 750 times a day, amounting to an industry worth billions built off our most sensitive information.
This is the second time the law’s finalization has been pushed back. The agency missed its July 1 deadline to approve regulations. A second and final round of regulations, which will include risk assessments, audits, and automated decisionmaking, are slated to be rolled out following the finalization of the first package of regulations.
The five-member privacy board convened one member short following the departure of Chris Thompson, who left his role to become chief of staff for Los Angeles Mayor Karen Bass. His vacancy has yet to be filled.
Enforcement of the law will begin July 1, 2023.