The California Privacy Protection Agency (CPPA) released additional materials for their upcoming February 3, 2023 meeting. Among the materials are the proposed final version of the first set of regulations and the corresponding final statement of reasons. Importantly for businesses that have been working to comply with the regulations, the CPPA has made no material changes to the final regulations as compared to the draft regulations released in November.
Businesses should keep in mind that these final regulations are only part of the regulations to be issued by the CPPA. The CPPA also released an invitation for comments on proposed rule making for cybersecurity audits, risk assessments, and automated decision making. These are important (and complex) obligations of businesses under the CPRA which have not been addressed in the proposed regulations but which will be enforceable as of July 1, 2023. In addition, the current regulations fail to address or clarify how the CPRA applies to employment and business-to-business information, which is now in scope and enforceable as of January 1, 2023. Businesses should continue to make good faith efforts to comply with these requirements based on the language of the statute.