Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.

Agency staff will now file the final rulemaking package with the Office of Administrative Law, which will have 30 business days to review. According to FAQs published on the Agency’s website, “the earliest that proposed regulations could be in effect is April 2023; however, this estimate is subject to change.”

The Board also voted to invite pre-rulemaking public comments on the next set of regulations concerning cybersecurity audits, risk assessments, and automated decision-making. The Agency’s discussion draft is available here.

With respect to overall compliance efforts, the Agency’s FAQs explain that “[a]s of January 1, 2023, the CPRA’s amendments to the CCPA are in effect, and businesses are required to comply with all express statutory requirements.” Businesses also are required “to comply with those CCPA regulations currently in effect.” However, pursuant to section 1798.185(d) of the CCPA, “civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.”

On January 27, 2023, the California Attorney General’s Office announced another investigative sweep, this time focusing on mobile applications that allegedly fail to comply with opt-out requests and do not offer any mechanism for consumers who want to stop the sale of their data. The sweep also focused on the processing of authorized agent requests, including requests the Consumer Reports’ Permission Slip mobile application submitted. Last year the Agency engaged in investigative sweeps on loyalty programs and recognition of the Global Privacy Control signal.