Many businesses devoted substantial resources to privacy compliance in 2020, thanks to the California Consumer Privacy Act (CCPA). They will be rewarded for that effort: during the fall election, Californians approved a ballot initiative that will strengthen the CCPA, dedicate billions of state dollars to privacy enforcement, and create a new enforcement agency for personal privacy rights. There is no imminent deadline: the new law (the California Privacy Rights Act or CPRA) will take effect 1/1/2023, and the Attorney General must pass implementing regulations for a significant portion of the new scheme before it is clear what compliance entails.
For businesses that spent 2019 and 2020 working out California privacy compliance, the road to compliance with the CPRA is likely not to be steep. For businesses that are not yet CCPA compliant, the time is now to start work on the data collection, mapping, security, and handling processes that will underpin required compliance with the CPRA in two years' time.