Enforcement of CPRA Regulations Delayed Until March 29, 2024

Key Takeaways:

1. The California Superior Court has stayed enforcement of the CPRA regulations until March 29, 2024. 
2. The CPPA’s audit authority and ability to enforce the CCPA and its regulations, and the CPRA statutory language, are not impacted by this decision. 
3. Going forward, the CPPA will not be able to enforce a new regulation until one year following its final adoption and approval by the Office of Administrative Law.

Background

On November 3, 2020, Californians passed the California Privacy Rights Act (CPRA), a ballot initiative that was intended to expand the rights and protections provided by the California Consumer Privacy Act (CCPA). The CPRA sets out a number of topics to be clarified via regulations and provides that “the timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022.” The CPRA further states that civil and administrative enforcement of the provisions added or amended by the CPRA should not begin until July 1, 2023, and should apply only to violations occurring on or after that date. 

As of March 29, 2023, however, the California Privacy Protection Agency (CPPA), a new agency formed under the CPRA to administer and enforce the law, had finalized regulations in only 12 of the 15 areas, leaving three areas without final regulations.

The California Chamber of Commerce brought a lawsuit in California Superior Court seeking a stay of enforcement of the CPRA, arguing that the CPRA mandated the CPPA to have all final regulations published by July 1, 2022, and that businesses should have a one-year grace period between the adoption and the enforcement of regulations. 

The Superior Court Decision

The Superior Court largely agreed with the California Chamber of Commerce, finding that the CPRA did require the CPPA to have final regulations in place by July 1, 2022. Furthermore, the court found that the voters’ intent was to allow for a one-year gap between the adoption of regulations and their enforcement. While the court was not willing to stay the enforcement of the CPRA statutory language, it did find that enforcement of the CPRA regulations should be stayed for 12 months after the CPRA’s final adoption and approval from the Office of Administrative Law (OAL). 

For the current package of regulations, which was approved on March 29, 2023, enforcement cannot begin until March 29, 2024. 

In the CPPA’s statement following the decision, it notes its disappointment with the outcome but does not indicate whether it plans to appeal the decision. 

What Does This Mean for Businesses?

This decision does not affect the CPPA’s overall audit and enforcement authority. The CPPA has made it clear that it believes that the regulations clarify but do not place material additional obligations and burdens on businesses. Businesses should expect the CPPA to enforce the elements of the CCPA and the CPRA that can be enforced. That said, to the extent that the CPPA raises an issue with compliance with the CPRA but the specific violation is a violation of the regulations rather than of the statute itself, the CPPA will be unable to issue any civil fines or other administrative penalties. For example, while a business will be required to have contracts in place with third parties, if those contracts do not include the level of detail required in the regulations, the CPPA may not be able to challenge the business based on that issue. 

Going forward, businesses should take comfort from the fact that while the CPPA may continue to issue new regulations, they will have one year to address any new requirements. 

Other Questions

1. Can the decision be appealed? Yes. The CPPA has 60 days to appeal. It has not indicated whether it plans to do so. 
2. What does this mean for the next package of regulations? The CPPA is currently working on a package of regulations to address cybersecurity audits and automated decision-making. The court did not impose a deadline for finalizing that package, but businesses will have one year to address that package of regulations following its final adoption and approval from the OAL. 
3. Will the CPPA be able to enforce violations that took place before March 29, 2024? Probably not. The CPRA states that the CPPA can enforce only violations that take place after the enforcement date, which is now March 29, 2024.