In summary

The agency has not held a pre-rulemaking public hearing or shared any draft regulations for the public to comment on.

Profile Image

By Julian Cañete

Julian Cañete is president and CEO of the California Hispanic Chambers of Commerce.

Profile Image

Edwin Lombard, Special to CalMatters

Edwin Lombard is president and CEO of ELM Strategies and former president and CEO of the California African American Chamber of Commerce.

COVID-19, supply chain disruptions, inflation … privacy rules? 

Just when California’s 4 million small businesses have fought, scraped and clawed their way through a daunting gauntlet of global crises, a new, little-known state agency is barreling toward a deadline to create a complex framework of privacy regulations that will affect nearly all of them. 

The California Privacy Protection Agency, established following voter passage of Proposition 24, or the California Privacy Rights Act of 2020, is responsible for adopting the first comprehensive privacy regulations in the United States, and its statutory deadline is July 1. 

With only four months to go, the Privacy Protection Agency has not held a single pre-rulemaking public hearing, shared any draft regulations for the public to comment on or begun any formal rulemaking activities. Simply put, it’s not ready. 

We are deeply concerned about the unintended consequences of rushing these regulations, especially for small, minority-owned businesses that have already been disproportionately impacted by the public health crisis. 

To date, the Privacy Protection Agency lacks the appropriate resources and expertise to develop the regulations by July 1. The Legislature must step in to extend the deadline and help ensure small, minority-owned businesses have real and significant input in the process, including ample time for informational hearings, review of draft regulations and adequate public hearings. 

We recommend extending the Privacy Protection Agency’s statutory deadline to adopt privacy regulations from July 1, 2022, to Jan. 1, 2023, and extending the enforcement date from July 1, 2023, to Jan. 1, 2024. This would provide small businesses with a full year after the regulations are finalized before enforcement would begin, as intended by the California Privacy Rights Act.

Our organizations of small, ethnically diverse California businesses support protecting the privacy of the consumers we serve. But it is critical that those most impacted by potential regulation have meaningful input into its development and implementation. 

To date, the Privacy Protection Agency has not afforded small businesses more than a cursory review, but the California Privacy Rights Act originally sought balance: “The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy while giving attention to the impact on business and innovation.” 

The plight of small businesses during the public health crisis has been well chronicled. Fifty-six percent of California small businesses experienced large, negative effects, such as layoffs, missed payments and lost revenue, during the first few months of the pandemic that has raged on for more than two years. 

California’s 1.2 million minority-owned small businesses have been especially hard hit. By September 2020, nearly 40,000 small businesses closed, and the businesses impacted most by state and county stay-at-home orders “lacked an online presence and had small cash reserves.” 

While many small businesses were forced to shut down their brick-and-mortar establishments and move more commerce online, unreasonable and impractical regulations could inflict even more damage. 

The Information Technology and Innovation Foundation has estimated that California small businesses will take on costs of $9 billion related to California’s privacy law, which does not cover compliance with other state privacy laws. 

It is critical that the Privacy Protection Agency develop regulations that are reasonable and practical to avoid unintended consequences and irreparable harm for California’s small businesses. Agency board members have described their approach as “building a plane while flying it.” There is too much at stake for such a risky, cavalier approach. 

California voters made their voice heard with passage of the California Privacy Rights Act. We must all work together to make sure any new regulations are successful. That means eliminating the risk and uncertainty associated with creating and adopting regulations on the fly. Instead, we want to help the California Privacy Protection Agency get it right by giving it more time to develop privacy regulations that are reasonable, practical and do no harm to entrepreneurs. 


Julian Cañete has also written about California casualties in Congress’ effort to regulate Big Tech, how lawmakers must commit to small, minority-owned businesses, a proposal would overturn policy that saves Californians money on auto insurance, creating pathways to postsecondary education will help ensure success, and how small businesses in California need financial relief, and how a ban on flavored tobacco will hurt convenience store owners.

Edwin Lombard has also written about how California’s tax on inherited properties hurts minority communities, Prop. 15 would threaten small businesses, how lawmakers must commit to small, minority-owned businesses, and how small businesses in California need financial relief.

We want to hear from you

Want to submit a guest commentary or reaction to an article we wrote? You can find our submission guidelines here. Please contact CalMatters with any commentary questions: