Current CPRA regulations not expected to be finalized until late January or early February - would be effective in April

The California Privacy Protection Agency announced in their December 16, 2022 meeting that they do not expect to post a final version of the initial set draft regulations until late January or early February. If there are no further modifications, this initial set of regulations would not go into effect until April. While board member Alastair Mactaggart urged the CPPA to get the current rules out without further changes, he suggested that further changes could be left to later rulemaking, leaving the door open that the regulations may still not be "final" for a long time. Nevertheless, businesses should not wait to implement their obligations under the current draft regulations, but be ready for potential changes later. 

In addition, the CPPA began the process of starting regulations for the use of artificial intelligence, risk assessments, and cybersecurity assessments. The CPPA proposed some questions to be asked to the public sometime in 2023, suggesting that regulations for these areas may not be coming for a long time. Because some of these may require significant work for businesses subject to the CPRA to implement, businesses should begin work now based on the current statute (and potentially with reference to applicable standards, such as NIST, ISO, and others), but be prepared to adjust course as the draft regulations are released.