Keypoint: If the California Privacy Rights Act is approved by voters in November, it would trigger a series of deadlines ultimately culminating in a January 1, 2023 effective date and July 1, 2023 enforcement date.
On May 4, 2020, privacy advocates reported that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA or CCPA.20) for the November election. Assuming the initiative passes the signature verification process, it would be on the November 3, 2020 ballot and become law if approved by a simple majority of California voters.
If the CPRA does pass in November, it will trigger a complicated timeline of staggered effective and enforcement dates and regulatory rulemaking deadlines.
As a starting point, the CPRA would become effective the fifth day after the Secretary of State files the statement of the vote for the election. That said, only a few of the CPRA’s provisions would go into effect immediately, with most of its provisions not becoming operative until January 1, 2023.
Although a two-year delay may seem odd, it finds precedent in the implementation of the European Union’s General Data Protection Regulation (GDPR). GDPR entered into force on May 24, 2016, but did not become effective until May 25, 2018. In theory, that provided companies with two years to drive compliance.
The provisions of the CPRA that would immediately go into effect are:
- Section 1798.145(m) and (n) – These sections exempt personal information collected in a business-to-business and employee context. Under the current CCPA, those exemptions will expire on January 1, 2021. Notably, both CPRA provisions state that the exemptions will become inoperative on January 1, 2023, which means that lawmakers would have two years to consider and pass legislation addressing these exemptions.
- Section 1798.160 – This section deals with the Consumer Privacy Fund. The CPRA would modify the way such funds are allocated.
- Section 1798.199.10 through .40 and .95 – These provisions would create and fund the California Privacy Protection Agency (the Agency), which would assume the CPRA’s rulemaking and enforcement powers.
- Section 1798.185 – This section concerns the regulatory rulemaking process. The CPRA would significantly expand the topics upon which regulations would be issued and create a timeline for the development of those regulations by the Agency. The Agency would begin its rulemaking process “the later of July 1, 2021, or six months after the Agency provides notice to the Attorney General that it is prepared to begin the rulemaking” process (although Section 1798.199.40 states that this would happen “the earlier of July 1, 2021, or within six months of the Agency providing” notice). The Agency would be required to adopt final regulations no later than July 1, 2022. Enforcement of the CPRA could not begin until July 1, 2023 and could only apply to violations occurring after that day. However, enforcement actions under the CCPA could continue unabated up to that time.
Finally, while the CPRA would not go into effect until January 1, 2023, once effective, it would apply to personal information collected by a business on or after January 1, 2022 (with the exception of the right of access).
For ease of reference, a timeline of these dates is as follows:
|November 3, 2020
|5 days after Secretary of State files statement of vote
||Effective date for sections 1798.145(m) and (n), 1798.160, 1798.185, 1798.199.10 through .40, and 1798.199.95
|July 1, 2021
||Approximate start date for Agency rulemaking process
|January 1, 2022
||12-month look back period begins
|July 1, 2022
||Final date for Agency to adopt regulations
|January 1, 2023
CPRA effective date
Expiration of business-to-business and employee exemptions (unless otherwise extended)
|July 1, 2023
||CPRA enforcement date