Finalization of California Privacy Rights Act (CPRA) Is Pushed Back

Publish Date


Cyber Alert

  • Cybersecurity

The California Privacy Rights Act (CPRA), which will replace the California Consumer Privacy Act (CCPA), is slotted to go into effect January 1, 2023. However, the California Privacy Protection Agency Executive Director, Ashkan Soltani, recently announced in a December 16th board meeting that the release of the final rules of the CPRA will be pushed back to April 2023, leaving a three month gap between the regulation’s effective date and the publication of its rule requirements.

As it stands, the regulation is still being reviewed and finalized by the California Privacy Protection Agency (CPPA). Executive Director Soltani anticipates the Agency to release the final rules in late January followed by a 30-day review period by the California Office of Administrative Law, making April the earliest the regulation could fully go into effect.

Until the CPRA is approved by the CPPA board and the Office of Administrative Law, the CCPA board has stated existing regulations will continue to remain in effect. The industry advice is for organizations to work on implementing the CPRA regulation in its current form, with the assumption that additional changes may need to be made following the finalization of the regulation.

For details on the existing CPRA rule requirements, check out our FAQ here

How we help

We understand that much of the privacy landscape is new and difficult to understand and manage alone. ACA offers data privacy compliance services to assist with assessing a company's compliance with relevant privacy regulations. Through the implementation of best practices, we can help companies achieve broader privacy risk and compliance objectives across your enterprise. Our team of experienced consultants can review a company’s personal data collecting activities to build a data inventory, identify risks and gaps, provide recommendations on addressing those gaps, and support the implementation of privacy requirements. 

Our service includes: 

  • Personal data discovery exercise
  • Personal data risk assessment 
  • Data processor/collector (vendor) risk assessments
  • Review of data and cybersecurity governance program
  • Review of incident response procedures and published privacy notice(s)
  • Review or development of a Record of Processing activity
  • Data processor inventory
  • Privacy training (in-person or online)
  • Readiness assessment for portfolio companies
  • Privacy program and governance development assistance
  • Data processor (vendor) risk assessments

To find out how we can help you meet your privacy obligations, please reach out to your trusted cyber adviser or contact us here.