Keypoint: If the California Privacy Rights Act is approved by voters in November, it would trigger a series of deadlines ultimately culminating in a January 1, 2023 effective date and July 1, 2023 enforcement date.
On May 4, 2020, privacy advocates reported that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA or CCPA.20) for the November election. Assuming the initiative passes the signature verification process, it would be on the November 3, 2020 ballot and become law if approved by a simple majority of California voters.
If the CPRA does pass in November, it will trigger a complicated timeline of staggered effective and enforcement dates and regulatory rulemaking deadlines.
As a starting point, the CPRA would become effective the fifth day after the Secretary of State files the statement of the vote for the election. That said, only a few of the CPRA’s provisions would go into effect immediately, with most of its provisions not becoming operative until January 1, 2023.
Although a two-year delay may seem odd, it finds precedent in the implementation of the European Union’s General Data Protection Regulation (GDPR). GDPR entered into force on May 24, 2016, but did not become effective until May 25, 2018. In theory, that provided companies with two years to drive compliance.
The provisions of the CPRA that would immediately go into effect are:
Finally, while the CPRA would not go into effect until January 1, 2023, once effective, it would apply to personal information collected by a business on or after January 1, 2022 (with the exception of the right of access).
For ease of reference, a timeline of these dates is as follows:
CPRA effective date
Expiration of business-to-business and employee exemptions (unless otherwise extended)