On January 1, 2023, the substantive provisions of the California Privacy Rights Act (CPRA) took effect, significantly amending the California Consumer Privacy Act (CCPA) and marking another milestone in the development of US privacy law. However, an often-overlooked provision in the CPRA delays enforcement until July 1, 2023, giving businesses some breathing room as they work to refine their compliance programs and avoid costly enforcement actions.
The provision, buried in the CPRA’s section on agency rulemaking, reads as follows: “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this Act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.”
Not only does this provision delay CPRA enforcement until July 1, but it also makes clear that regulators will not be able to look back to pre-July conduct for enforcement of anything added or amended by the CPRA. As a result, businesses can find some relief in knowing they will not be on the receiving end of CPRA enforcement for conduct occurring prior to July 1, 2023—at least as it relates to obligations that are new or different under the CPRA.
Despite this enforcement delay, the CPRA’s substantive requirements are now operative law. We’ll leave what it means for something to be “law” while being unenforceable to the philosophers, but what is clear is that businesses are now subject to complex new requirements, including new consumer rights around targeted advertising and “sensitive personal information,” and vendor contracting changes. Not to mention, businesses continue to wait for the publication of final CPRA regulations, which are now more than seven months overdue.
Businesses that have not yet finalized their compliance programs to account for the new CPRA requirements should redouble these efforts in advance of the July 1 enforcement deadline. In particular, if your business has not completed a “data map”—an inventory of the categories, purposes and other details of your data processing activities so you can determine what requirements apply—the new year presents an opportunity to refocus on this important compliance step and obtain the necessary input and investment from stakeholders across your organization.
After July 1, 2023, penalties for noncompliance with the CPRA could be significant: up to $2,500 per violation ($7,500 for violations that are intentional or involve children), with each impacted consumer potentially giving rise to a separate “violation.” These penalties can be levied with or without a cure period. The CPRA eliminated the 30-day cure period that was available under the CCPA and instead grants both the California Attorney General and the California Privacy Protection Agency (CPPA) discretion on whether to offer a cure period, permitting the CPPA to consider the organization’s lack of intent to violate the law and any voluntary efforts to cure the alleged violation. Therefore, good faith efforts to comply could go a long way in mitigating enforcement risk under the amended law.
Businesses should keep in mind that the CCPA, which took effect in 2020, remains fully enforceable—and now extends to new data types because of the expiration of exemptions covering business contact and employee data.
You can find our video series summarizing the requirements under the CCPA, CPRA and other new US state laws here. Notably, the Virginia Consumer Data Protection Act also took effect and became enforceable on January 1, 2023, creating additional compliance hurdles for covered businesses that do not exactly mirror the requirements in the CCPA/CPRA.
We expect 2023 will be another busy year for state privacy law, and it all begins with ensuring compliance with the amended CCPA requirements.