California Privacy Protection Agency to Begin Enforcement Activities

Nossaman LLP

After a successful appeal of a June ruling, the California Privacy Protection Agency (CPPA) is authorized to begin immediate enforcement of privacy regulations developed, and expanded, under the California Privacy Rights Act of 2020 (CPRA). Any company that has been relying on the nine-month enforcement delay is now required to implement the polices and regulations required by the CPRA to avoid penalization by the CPPA.


In the fall of 2020, California voters passed CPRA that created the CPPA, a newly established agency set out to implement and enforce new privacy consumer protections. The agency intended to adopt its final regulations by July 1, 2022, with enforcement to begin on July 1, 2023.

On June 30, 2023, the California Chambers of Commerce (“the Chambers”) successfully challenged the CPPA’s ability to enforce twelve privacy regulations until a year after the CPPA finalized them, which would not have been until March 29, 2024. The Chambers argued to the lower court that a full year was necessary, and required by the CPRA, for companies to comply with the newly adopted regulations.


On February 9, 2024, the California Third Appellate District court vacated the June 30 ruling, requiring companies to immediately comply with the twelve CPRA regulations the agency has finalized. Given the contested March 29 date approaching, it is unlikely that the Chambers will seek further review. The finality of the appellate court’s reversal allows the CPPA to immediately begin issuing fines ranging from $2,500 to $7,500 per violation of any regulation.

Enforceable Regulations

The areas of regulation that the CPPA is now authorized to enforce include but are not limited to:

  • Required Disclosures to Consumers;
  • Business Practices for Handling Consumer Requests; and
  • Rules Regarding Consumers Under 16 Years of Age.

What’s Next

The CPPA is set to finalize regulations in the areas of risk assessments, cybersecurity audits and automated decision-making technology. Once the CPPA finalizes these regulations, the appellate court’s reversal allows for immediate enforcement, rather than having to wait an additional twelve months as the lower court previously held.

Businesses should be up to date with all CPRA requirements and regulations to avoid the CPPA issuing them any violations. By updating any newly restricted practices or policies now rather than later, companies will not be blindsided by the CPPA’s finalization of the remaining areas of regulation. Michael Macko, Deputy Director of Enforcement for the CPPA, explained clearly, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP

Nossaman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide