March 2023 was a consequential month for data privacy law. The California Office of Administrative Law (OAL) formally approved regulations issued by the California Privacy Protection Agency (CPPA) implementing the California Consumer Privacy Act (CCPA), the Colorado Secretary of State released the final version of the Colorado Attorney General's rules implementing the Colorado Privacy Act, and Iowa became the sixth state to enact its own comprehensive privacy law.
The CPPA approved the CCPA regulations during a meeting on February 3, 2023. The regulations were then filed with the OAL on February 14, 2023 and became effective as of March 29, 2023. Enforcement may begin on July 1, 2023, although the California Chamber of Commerce sued the CPPA in California Superior Court in Sacramento to delay enforcement to comply with Proposition 24's "one-year grace period from final adoption [of regulations for California businesses] to conform their practices to the new rules."
We previously analyzed the CCPA regulations after they were first announced in May 2022. The regulations impose requirements in areas such as dark patterns, opt-out preference signals, notice, requests to correct and limit, third-party contracts, targeted advertising, and enforcement. According to the CPPA, "the regulations have not changed substantively since" the agency's board approved changes at its October 29, 2022, meeting.
The OAL's approval concludes an 18-month rulemaking process that began in September 2021 with the Agency soliciting preliminary comments from the public via an initial Invitation for Comments. The Agency issued draft regulations on May 27, 2022, and commenced a formal rulemaking on July 8, 2022. The regulations were processed and the official, final version of the regulations are posted on the CPPA's website here.
Now that the first batch of the CCPA regulations have been finalized (and challenged), the CPPA is moving forward with a further rulemaking, as required by statute. In February 2023, the CPPA issued an Invitation for Preliminary Comments on Proposed Rulemaking related to cybersecurity audits, risk assessments, and automated decision-making.
DWT's Privacy and Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.