Recent Changes to California’s Private Information Protection Law w.e.f January 1st, Barring New Regulations
Few anticipate that the necessary rulemaking will be completed by January 1, when California‘s new privacy law takes effect.
That leaves companies in an uncharted area in terms of regulatory compliance. Cassandra Gaedt-Sheckter, a privacy attorney at Gibson, Dunn & Crutcher LLP, stated, “There’s still a lot that our clients are waiting for.”
But now that we’re well into the new year, I believe most businesses are only doing their best to comply with the laws as they now understand them.
A definitive date for the completion of all rules is currently unavailable. There is still work being done on the first piece of the new regulations, and there are still parts of the law that have not been addressed.
Companies still have until July, when the new rule goes into effect, to ensure compliance. Voters in California enacted the California Privacy Rights Act in 2020.
It gives customers more protection against how businesses utilize their private data.
The California Consumer Privacy Act, the nation’s first comprehensive privacy law, will be updated and revised under this new law.
There have been instances of rulemaking being delayed. The Attorney General’s Office also missed the deadline to enact underlying regulations during the CCPA’s implementation.
Despite the fact that the law required completion of the regulations by July 2020, they were published online in August 2020.
One privacy advocate has remarked, “I don’t think the sky is necessarily falling if all the regulations aren’t in place by January 1, and they’re not going to be.”
Companies are left to their own devices to figure out how to comply with the legislation in the absence of final rules.
When the final version does arrive, businesses may not have much time to prepare. In its most recent proposal of rules, the California Privacy Protection Agency recognized that doubt.
The state privacy office stated that it could take into account the length of time between the requirement’s effective date and the date of the alleged breach when conducting its investigation.
The proposed guidelines allow for “good faith attempts” to be taken into account as well. However, the California Chamber of Commerce argued in a statement provided to Bloomberg Law that such guarantees aren’t sufficient.
The group proposed delaying regulation enforcement until a year after the rules went into effect.
However, those who support the privacy bill don’t want it delayed in any way in terms of enforcement.
Alastair Mactaggart, chair of Californians for Consumer Privacy and a member of the CPPA, previously stated, “Businesses have had until November 2020 to grasp that the landscape has altered irreversibly surrounding the personal information market in California.”
It’s extremely dishonest to claim that they can’t comply with CPRA next year because they don’t know the precise language the regulations will take.
The agency is still working on regulations to apply some of the basics of the CPRA into current privacy rules, such as establishing a consumer right to update personal information or outlining new obligations between businesses and their third parties, as of early December.
Last month, the public comment period for those amendments concluded. No proposed rules have been made yet on any of the other major CPRA issues.
This procedure will launch during a December 16 agency meeting. For example, businesses and campaigners are looking for direction on the following:
The collection and storage of employee data will be drastically altered as of January 1 due to new privacy rights for workers.
Business-to-business communications will also be subject to new privacy regulations as of January 1.
Assessments of risk, in which businesses must decide what aspects of their data processing activities are potentially harmful to individuals’ right to privacy.
Businesses will also be required to perform cybersecurity checks every year. The process of gathering and using individual data through automated decision-making, is often known as artificial intelligence.
At this time, businesses should comply as closely as possible with the California Privacy Rights Act and any proposed rules, according to Gaedt-Sheckter.
When the final guidelines are released, they’ll likely have to make some changes. Susan Kohn Ross, chair of the privacy practice at Mitchell Silberberg & Knupp LLP, remarked that the first state privacy law clarifies the requirements for consumers’ privacy.
If companies already operate under one set of norms, it may not make sense to try to conform to the newer set. If the rules change in the end, it can be expensive.
“Until something changes,” Ross remarked, referring to the existing California Consumer Privacy Act. We have no idea how such rules will ultimately be shaped.
And until we see them, we have no idea what modifications will be necessary for businesses.