Passed by voters in 2020, the California Privacy Rights Act (CPRA) made significant changes to the state’s existing privacy law, the California Consumer Privacy Act (CCPA). The CPRA includes several new privacy obligations, and helps bring the law closer in line with its European counterpart, the General Data Protection Regulation.

Businesses that are required to comply with the CPRA were given two years to bring their operations into compliance, but the law’s effective date and enforcement date are fast approaching.

Effective Date vs. Enforcement Date

The CPRA has two very important dates: the date when it goes into effect and the date when it becomes enforceable.

The CPRA goes into effect on January 1, 2023. On that day, it replaces the prior version of the CCPA, and businesses that don’t follow its requirements will be out of compliance.

However, in order to ease the transition for businesses, the new provisions of the CPRA do not become enforceable until July 1, 2023. This means that, even if they are non-compliant, businesses can not be subject to fines or injunctions with regard to the new requirements. This date is also significant because it is when the newly created California Privacy Protection Agency (CPPA) will take over enforcement duties from the Attorney General’s office.

What Does this Mean for Compliance

The six-month delay in enforcement should not lull businesses into a false sense of complacency, because the old requirements of the CCPA are still enforceable. The California Attorney General can impose fines for non-compliance, and has already done so. Businesses therefore should not treat this a free grace-period to ignore CCPA compliance altogether, but instead should be working as quickly as possible to incorporate the new privacy requirements, some of which are quite substantial.

There are a few reasons for this:

• Consumers can still file complaints with the state
  Savvy consumers who know their rights will notice when a business isn’t doing everything it should, especially in the area of privacy requests. The state has an online portal where consumers can report businesses for non-compliance. Even if the CPPA can’t impose fines right away, you can be sure it is still taking notice.

• The mandatory 30-day cure period is ending
  Previously, the state has been required to give every business 30 days to cure any alleged CCPA violations before proceeding with enforcement. This provision in the law expires on January 1, 2023, at which point it will be entirely within the authorities’ discretion whether to give your business a chance to get compliant before being fined.

• The CPPA is expected to be much more aggressive in enforcement
  Anyone who has been following the progression of the California Privacy Protection Agency as it staffs up and drafts new regulations will notice that it has a very strong pro-privacy stance and is eager to begin enforcement. While the Attorney General’s office has itself been fairly busy, enforcement is widely expected to take a big jump starting in July 2023, when the CPPA takes over.

‍