Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on June 30, 2023 pushing enforcement of CPRA regulations from July 1, 2023 to March 29, 2024.
In 2018, the California Legislature enacted the CCPA, which provided consumers with certain rights regarding the collection and use of consumer data. In November 2020, California voters approved the CPRA, which established new standards regarding the collection, retention, and use of consumer data and created the California Privacy Protection Agency (the “Agency”) to implement and enforce the law.
Under California Civil Code section 1798.185(d), “[t]he timeline for adopting final regulations required by the [CPRA] adding this subdivision shall be July 1, 2022 . . . . Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by [the CPRA] shall not commence until July 1, 2023.” Put another way, a one-year period was established between the promulgation of final regulations and enforcement of the regulations. However, the Agency’s first set of regulations under the CPRA was not approved until March 29, 2023.
This delay was the subject of the dispute in California Chamber of Commerce v. California Privacy Protection Agency in Sacramento Superior Court. There, Petitioner California Chamber of Commerce sought a writ of mandate compelling the Agency to refrain from enforcing the CPRA within one year of adoption, arguing that California voters intended for the Agency to issue complete regulations by July 1, 2022 and that they further intended to have one year from the adoption of the final regulations until enforcement. Therefore, the delay in the final adoption of regulations required an equivalent delay in the start of enforcement. The Sacramento Superior Court agreed—and ultimately issued its order delaying enforcement until March 29, 2024 (one year after the Agency’s first set of CPRA regulations were approved).
Provided that the Sacramento Superior Court’s order is not overturned, there are two main takeaways from this ruling:
- CPRA Regulations Will Be Enforced One Year After Finalization. The Agency is not to enforce any CPRA regulations until one year after any individual regulation is finalized. Here, the subject of the suit was the regulations regarding 12 of the 15 areas required by the CPRA that were finalized on March 29, 2023. The enforcement of those regulations can begin on March 29, 2024, but the enforcement of the remaining three areas (cybersecurity audits, risk assessments, and automated decision-making technology) cannot begin until a year after the finalization of those rules.
- This Decision Only Applies to Enforcement of CPRA Regulations. The court was clear in its focus on CPRA regulations. The delay in enforcement does not apply to the body of the CPRA statute or regulations previously finalized under the CCPA.