Final Privacy Regulations Anticipated To Go Into Effect In April 2023 - Enforcement Scheduled to Start July 1, 2023
On February 14, 2023, the California Privacy Protection Agency (CPPA) submitted its proposed final regulations (“Regulations”) to the Office of Administrative Law for a final review. It is anticipated that Regulations will go into effect in April 2023. The CPPA is California’s regulatory agency dedicated to enforcing consumers’ and employees’ privacy rights. The projected enforcement date remains July 1, 2023, so California employers should take proactive steps to comply with the California Privacy Rights Act (CPRA) as explained by the Regulations. Nonetheless, the California Attorney General has already begun and continues to enforce the CPRA.
The Regulations provide some relief with respect to private information stored on old systems. Covered entities may “delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” In other words, if the information is stored on a system that is not active, an employer might not have an immediate obligation to delete or correct such information unless that system comes back into usage.
The Regulations also refined the definition of “disproportionate effort” to give relief to third parties associated with an employer. The Regulations indicate that an employer might be relieved from taking action if the action would require a disproportionate effort or resources that outweigh the reasonably foreseeable impact on the employee. However, there is no bright-line test to provide guidance on how the CPPA will interpret those terms in the real world. Thus, an employer that avoids taking action under this portion of the Regulations should be sure to consult with competent counsel before making its final decision.
The Regulations highlighted the importance of “good faith” in complying with the CPRA. As the official enforcement body under the CPRA, the CPPA has the discretion to “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” The Regulations, along with recent comments from the CPPA’s officers at the California Lawyer’s Association Privacy Conference, indicate that the CPPA will give serious weight to employers who engage in good faith efforts at compliance and encounter documented difficulties carrying out privacy policies. At least in the early days of enforcement, one may optimistically expect greater leniency for employers who demonstrate a clear-cut good faith effort to comply with the CPRA as opposed to employers who claim ignorance or those who flaunt the Regulations. Therefore, if an entity is a covered entity, it should consult with counsel to prepare notices, policies, training and have procedures in place that comport with the CPRA’s obligations to honor employee privacy.