It appears the newly formed California Privacy Protection Agency (CPPA)—the body that will be enforcing the California Privacy Rights Act (CPRA) when it takes effect in January 2023—is behind schedule on rulemaking.

The five-member board of the CPPA met Thursday to discuss the CPRA, which California voters passed in a ballot referendum in 2020. The CPRA adds new data privacy mandates to the currently active California Consumer Privacy Act (CCPA).

The CPRA orders the new agency to complete rulemaking by July 2022 and begin enforcement of the law in July 2023.

But at a meeting Thursday, CPPA Executive Director Ashkan Soltani told the agency’s board that informational hearings on rulemaking for the CPRA will be held in March and April, with formal rulemaking sessions to be scheduled in “Q3 or Q4.” One member of the public who attended the virtual meeting asked if that meant the board would delay the July 2023 enforcement date. Chair Jennifer Urban said the board would take the matter under advisement.

The CCPA requires businesses to notify California consumers about the personal information they collect. The law gives consumers the right to delete their data from a company’s database and the right to opt out from having a business sell their personal information.

The CPRA ladles additional responsibilities onto businesses for how they should handle such private data, like prohibiting companies from sharing sensitive information about customers’ health, finances, race, ethnicity, and precise location; tripling fines for violations related to children’s data; and putting new limits on how companies can collect, share, and sell customers’ personal data. On several of these fronts, data privacy experts say the CPRA lines up better with the European Union’s General Data Protection Regulation (GDPR) than the CCPA does now.

The CPPA in September issued an invitation for preliminary comments on the CPRA, to address “new and undecided issues” not addressed in the CCPA. The comment period closed in November. Some of those issues included:

  • Cybersecurity audits and risk assessments;
  • Automated decision-making;
  • Audits performed by the agency;
  • The right to correct inaccurate information and the right to delete information; and
  • Limiting the use of sensitive personal information.

Enforcement of the CCPA is handled by the office of California Attorney General Rob Bonta. The office started issuing noncompliance notices to companies in July 2020 and provided an update on enforcement efforts in July 2021.

Bonta’s office has also published examples of why certain unnamed companies have received notices of noncompliance with the CCPA. Popular issues include companies collecting personal information from customers but not providing them with required notices of their data privacy rights or not having a procedure in place to respond to customer requests regarding personally identifiable information collected.