This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Current CPRA regulations not expected to be finalized until late January or early February - would be effective in April

The California Privacy Protection Agency announced in their December 16, 2022 meeting that they do not expect to post a final version of the initial set draft regulations until late January or early February. If there are no further modifications, this initial set of regulations would not go into effect until April. While board member Alastair Mactaggart urged the CPPA to get the current rules out without further changes, he suggested that further changes could be left to later rulemaking, leaving the door open that the regulations may still not be "final" for a long time. Nevertheless, businesses should not wait to implement their obligations under the current draft regulations, but be ready for potential changes later. 

In addition, the CPPA began the process of starting regulations for the use of artificial intelligence, risk assessments, and cybersecurity assessments. The CPPA proposed some questions to be asked to the public sometime in 2023, suggesting that regulations for these areas may not be coming for a long time. Because some of these may require significant work for businesses subject to the CPRA to implement, businesses should begin work now based on the current statute (and potentially with reference to applicable standards, such as NIST, ISO, and others), but be prepared to adjust course as the draft regulations are released. 

The anticipated finalization of California Privacy Rights Act regulations has been pushed back again. While the CPRA takes effect in just under two weeks — on Jan. 1, 2023 — the California Privacy Protection Agency is still working to promulgate final rules. During a Dec. 16 board meeting, CPPA Executive Director Ashkan Soltani said the final rules will likely be released in late January. Under that timeline, with a 30-day review by the California Office of Administrative Law, the regulations would take effect around April. In February, Soltani announced the agency would miss its July 1 deadline for finalizing the rules.


cpra, ai, cybersecurity, cyber risk, data privacy