A California court recently issued a ruling delaying the CPPA’s ability to enforce the most recent CCPA regulations until March 29, 2024. This does not delay enforcement of the CCPA statute or existing regulations.
The CPRA -which went into effect January 1, 2023- modified California’s existing privacy law: CCPA. The CPRA amendment required the California regulatory authority (the CPPA) to adopt final regulations on a set of issues by July 1, 2022. (Other issues had a longer time frame.) The regulations due on July 1 were not adopted on time: they were only adopted March 29, 2023. Concerned about the lack of time to understand and implement the requirements in the regulations, the California Chamber of Commerce recently sought an injunction banning the enforcement of those regulations. They argued that enforcement should not begin until 12 months after the adoption of the regulations. The court agreed, noting that under the statute as amended, the date set for enforcement was drafted using non-mandatory language (“shall not commence until July 1, 2023” (emphasis added)). Meaning that it did not have to begin on that date. But the date by which regulations were to be adopted was mandatory (“the timeline for adopting final regulations . . . shall be July 1, 2022” (emphasis added)). Read together, the court found, the intent was that the regulations were to be enforced 12 months after their adoption. In other words, CPRA essentially called for a 12 month grace period between the date of the regulations and the date of enforcement. As such, the court held, the enforcement date of the regulation should be pushed back one year from when the regulations were issued to March 29, 2024.
What does this mean?
The CPRA amendment to CCPA became effective January 1, 2023. For now, even though the new requirements are in effect, the CPPA cannot under this order bring enforcements except for violations of the prior regulations or the statute. The ruling does not impact the substance of the CPRA amendments to the CCPA. As a reminder, the regulations that have been adopted do not cover all of the CCPA (as amended)’s requirements. Looking forward, the CPPA still needs to adopt regulations for automatic decision making, risk assessments and cybersecurity audits. It will be holding an open hearing to discuss these and other issues on July 14.
Putting it into practice. Companies can use this additional time to evaluate their CPRA regulation compliance efforts and build a sustainable privacy program agile to adapt to the flurry of other state laws that have been passed.