The updated California data protection law itself is now in effect and enforceable as of July 1, 2023; however, enforcement of the regulations—which clarify key provisions of the law—is delayed.
Just before full enforcement was to begin for the California Privacy Rights Act (“CPRA”), the Sacramento Superior Court of California stepped in to delay enforcement of the CPRA’s regulations by adopting a tentative ruling to enjoin the California Privacy Protection Agency (“CPPA”).
Full enforcement is now delayed until March 29, 2024. This gives in-scope businesses about seven more months to bring their data protection programs into compliance with the regulations.
However, the delayed enforcement ruling does not apply to the CPRA law itself and only applies to the enforcement of the CPRA regulations. As of July 1, 2023, the CPPA can bring enforcement actions and filings against companies allegedly violating the text of the CCPA statute.
The California Privacy Rights Act—which amended the California Consumer Privacy Act—has been in effect since January 1, 2023. More states have followed California’s lead on US State data protection laws as 2023 has seen a flurry of activity in this area. The delay in enforcing the CPRA’s regulations gives businesses a longer runway to bring their data protection programs up to speed during a year that has typically seen only increases in the number of obligations businesses need to address on data protection.
CPRA Delay Ruling
The CPRA statute itself, which passed by ballot initiative in November 2022, provided that the CPPA was required to adopt final regulations by July 1, 2022, while enforcement would then begin 12 months later, on July 1, 2023. However, the CPPA only adopted the final CPRA regulations on March 29, 2023, far after the original deadline.
The court, in this case, found that the CPRA statute—by hardcoding in the July 1, 2022 regulation date and stating that enforcement would begin on July 1, 2023—essentially called for a 12 month grace period before enforcement was to begin. Because the regulations were not finalized until March 29, 2023, the court ruled that the 12-month grace period required the enforcement date to similarly be pushed back to March 29, 2024.
Importantly, the court left alone enforcement of the CPRA statute itself. The detailed, more specific requirements set forth in the regulations are not enforceable for another seven months, but the CPPA can now begin enforcing the clear requirements already set forth in the statute itself. For example, the global opt-out mechanism requirement under the CPRA likely cannot be enforced until March 29, 2024 due to the fact the specific requirements are kicked to the regulations and not spelled out in the statute.
However, this is a double-edged sword for businesses as the CPRA regulations offer clarity on the higher-level requirements set forth in the statute. For example, as of July 1, 2023, the CPPA can begin acting against those it believes to be violating the CPRA statute’s requirement to provide proper and accurate privacy notices. Businesses should still look to the CPRA regulations for clarity on those requirements despite the fact the specifics laid out in the regulations are not enforceable yet.
Further Regulations Down the Road
There are even more topics that the CPPA has only just started to address—such as cybersecurity assessment requirements—that still require finalized regulations. It is likely, based on the court’s ruling in this instance, that similar 12-month grace periods will be required before future finalized CPRA regulations can take effect.
