We no longer need to wait on rule-making for the majority of regulation compliance. All states which required rulemaking have submitted final regulations which can be used for compliance activities. Let’s take a brief look at the state of things that happened over the past two weeks.
California
The updated regulations for the California Consumer Privacy Act have been finalized. The Office of Administrative Law returned the approved regulations to the California Privacy Agency, whom released an update on 3/30/23 that not only were the proposed regulations approved, but that would take effect immediately replacing the previous version from mid-2021.
In practical terms, these are the same regulations that were reviewed in October of 2022. So while there has been a delay, if you aligned your privacy efforts to that draft, you’ll likely be in good shape. If, however, you have delayed compliance pending release of the final regulations chances are you are now very behind in compliance given the extensive amendments posed by the integration of the California Privacy Rights Act. Delayed compliance efforts may ultimately prove problematic given the impending enforcement of the Colorado and Connecticut laws in July.
Meanwhile, the open comment period for feedback on Cybersecurity Audits, Risk Assessments and Automated Decisionmaking ended on March 27th, 2023. We should be seeing a draft of the regulations concerning those topics in coming weeks.
Colorado
Over in Colorado things have also been advancing. Like California, the Colorado legislature authorized the creation of regulations for how the law would be enforced. That rule-making process ended on March 15th, 2023, with the 44 page final rules being sent to the Secretary of State. These regulations will be used for enforcement beginning on July 1st, 2023.
Special consideration should be given to Part 8 of the regulations, which detail Data Protection Assessments. These are explained over four pages, and are likely the most in depth set of required documentation among any State so far. It is advised to expect compliance with this Part to take a considerable amount of time.
Also worth consideration is the nearly 8 page Part 7, which details out Consent Management requirements. These including behavior and user experience design considerations. This may impose stricter requirements around consent than may be acceptable in other States. It’s worth noting that these regulations may force an entity to seek re-consent, if the original consent was obtained in a way that doesn’t comply with these requirements.
Lastly, unlike California – the Colorado Privacy Act and it’s regulations will apply to non-profits which meet other applicability thresholds and do not qualify for one of the exemptions, which is in contrast to every other State which has passed a privacy law to date.