Privacy Alert: California Court Delays Enforcement of CPRA Regulations
July 7, 2023
By: Amber L. Lawyer Alexis Takashima*
On June 30, 2023, the Sacramento County Superior Court issued a decision to delay enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024. The CPRA—an amendment to the California Consumer Privacy Act (CCPA)—includes certain regulations regarding the collection, use and sale of consumer data. The California Privacy Protection Agency (CPPA) is tasked with creating and enforcing these regulations.
The CPPA was originally due to issue finalized regulations by July 1, 2022, with their enforcement to begin on July 1, 2023. Instead, the CPPA did not finalize two sets of regulations until March 29, 2023. Following the CPPA’s release of the regulations in March, the California Chamber of Commerce (CalChamber) promptly filed suit, pleading that enforcement of the regulations be delayed from July 1, 2023 to March 29, 2024. CalChamber reasoned that, originally, the CPRA allowed for a one-year adjustment period between issuance and enforcement of CPRA’s regulations and that such adjustment period should be retained in order to honor the intentions of California voters. The Superior Court agreed with CalChamber, stating that the inclusion of these dates in the language of the statute supports the conclusion that voters intended for a one-year gap between issuance and enforcement. Thus, the court held that the CPPA may only begin enforcing these regulations on March 29, 2024—one year after the regulations were issued.
However, in March 2023, the CPPA provided final regulations for only 12 of the 15 topics contained in Section 1798.185 of the California Civil Code. The CPPA stated that regulations for the three remaining categories—cybersecurity audits, risk assessments and automated decision-making technology—are not yet finalized, and the Agency has not set a date for enforcement of these laws. CalChamber voiced its concern that the CPPA would attempt to enforce this second wave of regulations immediately after their issuance, provided that they are issued after March 29, 2024. The court settled the issue by holding that the one-year adjustment period shall apply to individual regulations rather than the CPRA as a whole. This decision allows businesses a 12-month period to come into compliance with the new regulations while also providing consumers with updated, ongoing protection.
The CPPA Board recently announced that it will hold an open meeting on July 14, 2023, to discuss the procedure and form of the regulations and their enforcement. It is important to note that the court’s ruling affects only the enforcement of these regulations and does not affect the statutory provisions of the CPRA or regulations previously finalized.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters, including compliance with CCPA and CPRA. We will monitor the status of CPRA regulations and enforcement. If you have any questions about CCPA and CPRA compliance, please contact Amber Lawyer, CIPP/US & CIPP/E or any attorney in Bond's cybersecurity and data privacy practice.
*Special thanks to Summer Law Clerk Alexis M. Takashima for her assistance in the preparation of this blast. Alexis is not yet admitted to practice law.