After a drawn-out process, and with very little time to go before a mandatory enforcement deadline, California's regulators have approved a set of regulations designed to implement the state's "privacy 2.0" law, CPRA, which took effect this year. The law specifically provided that regulators would provide additional guidance/requirements on how to operationalize certain of its requirements. Enforcement of these new regulations will begin July 1st of this year.
Why It Matters
Companies that have spent the last five years updating their internal processes and external privacy disclosures to comply with EU and then California rules are wearying of the ritual. 2023 and 2024 will not afford them much rest, however: the new California regs will come into effect, as will new privacy laws in four other states.
Specific changes contained in the new California regulations could affect how much data a business can collect and use, how to offer an opt-out for sharing or sale of data or use of "sensitive" data, how notice is given on different devices/platforms to increase its accessibility, the contents and specificity of required notices, and the conditions under which the business or its commercial partners may target advertising to users.