The California Superior Court in Sacramento issued a court order on June 29 providing for a postponement of the enforcement of final California Privacy Rights Act (CPRA) regulations for 12 months until after the regulations were finalized (i.e. March 29, 2024). This order affects 12 of the 15 areas of the CPRA for which rulemaking is required.
The ruling comes in a suit filed by the California Chamber of Commerce (CalChamber) against the California Privacy Protection Agency (CPPA) because the regulations implementing the CPRA were finalized on March 29, 2023, – eight months later than the statute required. The court was in agreement with the CalChamber that the agency did not provide businesses with the required 12-month grace period to come into compliance as contemplated under the CPRA. To the plaintiffs, the regulations were incomplete and rushed upon business because of the CPPA’s own internal delays.
The court order did not blanket grant all the arguments of the CalChamber in its petition; CalChamber’s petition asserted that CPRA enforcement should not start until after all sections of the CPRA implementing regulations are finalized, which the court objected to. The court recognized that since the CPRA does not have a specified time that the last three areas of the CPRA will be finished, there would potentially be an ongoing moratorium on enforcement. For the CPRA’s future regulations covering cybersecurity audits, risk assessments, automated decision-making and AI, which the CPPA is in the process of finalizing, twelve months will now seemingly be required to pass between final regulation promulgation and the beginning of future CPPA enforcement.
For the interim, the court order affirmed that regulations passed under 2018’s California Consumer Privacy Act (CCPA) be enforced, until “superseding regulations passed by the Agency become enforceable in accordance with the Court’s Order.” Agencies (or their clients) implementing CPRA regulations into their data practices should take note of new enforcement deadlines and prepare accordingly.
Agencies interested in understanding how to implement the regulations found in the CPRA and the four state privacy laws taking effect in 2023, can download the 4A’s state privacy law guidance here. You can also watch a recording of the joint CHC/4A’s June 22d webinar on New & Updated in Privacy Laws – What Agencies & Publishers Need to Know.
The 4A’s and others in the advertising industry previously filed joint comments to the CPPA, to assert its concerns with the CPRA regulations, including its plan for expedited enforcement despite lengthy administrative delays.
Have questions or further information about the CPRA and the implications of the court-ordered enforcement delay, please contact Jim Potter at jpotter@cohealthcom.org.