Privacy update: CCPA, CPRA and what’s in force today


Data privacy laws are quickly evolving around the world. When a company has customers worldwide, that company can be subject to the privacy laws in each customer’s location.

In the US, the evolution of data privacy regulations is being led by a few states — including California, which recently changed regulatory enforcement dates as outlined below.




Recent changes for CCPA and CPRA


On June 30, the Sacramento County Superior Court ruled that the most recent set of the California Privacy Rights Act (CPRA) regulations will not be enforced until March 29, 2024. The decision pushes back the original enforcement date of July 1.


What you should know:

  1. CPRA enforcement postponed:
    Although businesses now have more time to comply with the CPRA regulations, the court specified that enforcement of existing regulations associated with the California Consumer Privacy Act (CCPA) and CPRA are still active and enforceable. This means that businesses still need to adhere to those existing statutory and regulatory requirements or risk enforcement actions from the California Privacy Protection Agency (CPPA) or Attorney General’s office.
  2. Businesses have one year to comply after any CCPA or CPRA regulations are finalized. 
    As part of its decision, the court determined that the CPRA intends to provide businesses with one year between when regulations are finalized and when enforcement begins. That’s why businesses now have until March 29, 2024, to prepare for the first set of CPRA regulations, and why they will also have one year to comply from the time that any remaining regulations are finalized.



How to adapt


The sooner you prepare for additional enforcement, the more comprehensive and efficient your preparation can be.


What you should do:

  1. Use the delay to reassess compliance efforts.
    In addition to sustaining compliance with regulations still in effect, businesses should use their additional time to review their privacy programs and assess their readiness to address requirements like:
    • Limiting the collection or processing personal information to purposes that are consistent with consumer expectations
    • Detecting and honoring the Global Privacy Control signal as a valid opt-out request
    • Avoiding dark patterns on business websites to ensure that consumers can easily provide or deny consent and exercise their data subject rights
  2. Get ready for further regulations. 
    The California Privacy Protection Agency has not announced a specific timeline for the next set of regulations but watch CPPA announcements for the next finalization that triggers your one-year compliance window. Cybersecurity audits, risk assessments, and automated decision-making have not yet been addressed. Regulations are likely to emerge on these or other topics, so make sure that you are prepared to adapt privacy programs when those regulations arrive.

It might seem difficult to know how to prepare for future regulations that might limit how systems handle personal data, customer data requests, website cookies and other privacy issues. However, you can take some tactical steps to build a privacy program with a strong foundation and adaptability that can endure into the future.




Other ongoing changes


The landscape is constantly changing for data privacy regulations. Here are some of the other ongoing changes and updates:


California enforcement updates

  • Apart from the postponement of CPRA regulatory enforcement, there have been other developments related to the CCPA and CPRA:
    • California Attorney General Rob Bonta announced in mid-July that letters had been issued to large-sized employers throughout the state inquiring about their respective levels of compliance with the CCPA. Bonta's letters specifically address businesses' compliance with protections governing the handling of employee and job applicants' personal information.
    • A new consumer complaint system adopted by the California Privacy Protection Agency came into effect on July 14, allowing individuals to submit sworn and unsworn complaints for violations of the CCPA. In addition to judicial administration, the new complaint form will also be leveraged by the Agency to monitor industry compliance and inform enforcement actions.

Oregon Consumer Privacy Act

  • On June 22, the Oregon Legislature passed the Oregon Consumer Privacy Act (OCPA), bringing it into the growing fold of US states that have passed comprehensive consumer privacy legislation. The OCPA could be best understood as taking provisions from the Connecticut Data Privacy Act and the Colorado Privacy Act. However, the bill has some unique provisions in that it adopts expansive definitions of biometric data, including information that may allow the unique identification of an individual, not just data collected for the explicit purpose of such identification. Additionally, OCPA does not exclude entities that are subject to the existing federal laws from coverage, such as HIPAA and GLBA. The OCPA, if signed by the Governor, will go into effect July 1, 2024, with the exception that the effective date for non-profits is July 2025. In 2023, a total of seven U.S. states passed a comprehensive privacy law; and eight U.S. states passed nine laws regulating specific privacy matters (like protecting consumer health, children, and biometric data).

Insurance Consumer Privacy Protection Model Law #674

The National Association of Insurance Commissioners established the Insurance Information and Privacy Protection Model Act #670 (Model 670) and the Privacy of Consumer Financial and Health Information Regulation #672 (Model 672) to establish standards for collecting information. The draft Model Law #674 is intended to update and improve the requirements and provisions of these regulations.  


Where does it stand? Model Law #674 has concluded its comment period and is currently in the review and revision state. Some key requirements and changes include:


  • Consent for Cross-Border Transfers
    • Licensees or third-party service providers would be required to obtain “prior consent” from any consumer whose personal information will be shared with a person outside the U.S. or its territories.
  • Licensees and Third-Party Service Providers
    • Licensees must conduct extensive diligence and oversight on third-party service provider arrangements.
  • Private Right of Action
    • The private right of action that would allow consumers to pursue litigation in the event of a licensee’s or its third-party service provider’s failure to comply with Model 674.
  • Data Minimization
    • There are expanded requirements for licensee transparency for the necessity of personal information being collected, processed, and shared.
  • Data Retention
    • Licensees must delete all of a consumer’s personal information within ninety (90) days once the permitted purpose no longer applies, and inform consumers where a relationship no longer exists.
  • Privacy Notice
    • There are increased information requirements to be included in annual privacy notices.
  • Scope of Covered Entities and Covered Data
    Consistent with recent trends, Model 674’s scope is much more expansive than either Model 670 or Model 672, and it looks to adopt similar, more stringent requirements on the collection and use of personal information as in the GDRP and CCPA.

    • Its requirements around personal information equally apply to both licensees and third-party service providers that engage in any covered activities. Covered requirements had previously not been applied to third parties.

    • It expands the definition of “personal information” beyond the definition in Models 670 and 672, and even beyond CCPA. Personal information would also include “Publicly Available Information” which would is excluded under CCPA.

    • It includes, as new categories of “personal information,” newly defined terms “sensitive personal information” and “biometric information,” which largely mirror the definitions under the CCPA. Personal information has been broken out and defined through 16 categories and subcategories.






Our cybersecurity and privacy insights