The California Privacy Protection Agency’s (“Agency”) has now issued regulations to guide enforcement of the California Consumer Privacy Act (“CPRA”). The regulations have been approved by the California Office of Administrative and are now in force.
The CPRA regulations provide significant guidance in some areas but less direction in others. The regulations provide for some relief to businesses if a “disproportionate effort” of compliance to respond to an individualized request overcomes the reasonably foreseeable impact of a failure to respond to the consumer. The regulations provide a bit of input on what the business may do in these circumstances. The regulations also discuss how businesses can respond to consumers’ (in the employment context as employees or applicants) “requests to correct” when the correction involves sensitive information that cannot be disclosed.
Just when there appears to be some guidance in the regulations for businesses, The California Chamber of Commerce filed a lawsuit to arrest any enforcement of the new regulations by the Attorney General or the Agency to give businesses at least one year to adjust practices and get into compliance with the CPRA.
The CPRA has been in effect since January 1, 2023. Absent an injunction, the Agency’s active enforcement starts July 1, 2023. Employers should ensure they are taking steps to comply with the CPRA by reviewing the new regulations and consulting with their business counsel.
The information presented is not intended to be, and does not constitute, “legal advice.” Because each situation varies, and only brief summary information is provided here, you should not use this information as a basis for action unless you have independently verified with your own counsel that it applies to your particular situation.