Businesses subject to the California Consumer Privacy Act (CCPA) could be forgiven for feeling like they have whiplash from the twists and turns in the California privacy rulemaking process.
To recap: In June 2023, the California Superior Court in Sacramento County granted a request by the California Chamber of Commerce to delay enforcement of the California Privacy Protection Agency’s (the Agency) final regulations partially implementing amendments to the CCPA from March 29, 2023, until March 29, 2024. The Superior Court reasoned that the law had required the Agency to adopt these new rules by July 1, 2022, and prohibited enforcement until one year later. Businesses that had been scrambling to come into compliance in the three-month period between the release of the new final rules and the enforcement date in the statute found themselves with much-needed extra time.
On February 9, 2024, however, a panel of California’s Third District Court of Appeal changed direction, reversing the Superior Court decision and order staying enforcement of the new regulations.
In a unanimous decision, the Court of Appeal held that, while the Agency had failed to meet the statutory deadline to adopt final regulations by July 1, 2022, (1) the law did not impose a “clear, present, and ministerial duty” on the Agency to delay enforcement for a year; (2) it contained “no ‘explicit and forceful’ language…mandating that the Agency be prohibited from enforcing the act until (at least) one year after the Agency approves final regulations;” (3) there was no extrinsic evidence suggesting that California voters intended to provide a one-year delay to enforcement; and (4) imposing a delay would disregard the intent of voters to strengthen and protect consumer privacy rights.
The appellate court ordered the lower court to vacate its judgment and enter judgment in favor of the Agency, empowering the Agency to begin enforcement of its first regulations nearly two months before the March 29, 2024 deadline. The decision also would have the potential effect of enabling the Agency to make forthcoming regulations on cybersecurity audits, privacy risk assessments, and automated decision-making technologies enforceable immediately upon enactment without any implementation period. Businesses found themselves with the limited consolation of an admonition that the Agency should take into account both the amount of time between an alleged violation and the effective date of the statutory or regulatory provision and a business’ “good faith” compliance efforts.
The Superior Court has received the order from the Court of Appeal to vacate its order and judgment halting enforcement. But in its reversal decision, the Court of Appeal allowed the lower court to consider any “non-moot issue” concerning prompt enforcement of the regulations. Relying on this language, the Superior Court has delayed vacating its prior judgment and ordered briefing from the parties on any remaining non-moot issues to be completed by March 20, 2024. As a result, and in yet another twist, the stay of enforcement is likely to remain in place past the prior March 29, 2024, deadline, while the court reaches a decision on any non-moot issues.
Then, on February 20, 2024, the most recent twist occurred when the California Chamber petitioned the California Supreme Court for review of the Court of Appeal’s decision.
The California Chamber’s petition asserts that the Court of Appeal decision relied on a flawed interpretation of the text of the California Privacy Rights Act (CPRA) and adopted a new, heightened (and flawed) standard of statutory construction, deferring to agency interpretation of statutes unless there is “explicit and forceful” language supporting a different interpretation. This runs counter to the plain text of the CPRA, the California Chamber contends, and disregards voters’ intent to provide a one-year enforcement delay. The petition underscores the uncertainty and potential risk for businesses and consumers of permitting forthcoming CPRA regulations to be enforced immediately upon their effective date without giving effect to the statutory text setting a one-year delay. The California Chamber contends that under the Court of Appeal’s decision, “businesses do not know what is required of them because the Agency has not yet issued the necessary regulations," but "the Agency could enforce these requirements as soon as immediately after their adoption," a "result [that] is absurd, unfair and contrary to the one-year notice requirement expressly contained in” the statute.
The California Chamber argues that the California Supreme Court accordingly should review the Court of Appeal decision to correct the Court of Appeal’s novel “explicit and forceful” standard for reviewing agency interpretations of statutory text and protect consumers and businesses from a “chaotic” and “uneven” approach to new regulations. The petition further urges the California Supreme Court to settle the proper interpretation of the statutory text providing a one-year delay between adoption of privacy regulations and their enforcement to resolve an issue of “great, statewide public importance” that poses “intense practice and economic consequences for companies” doing business in California.
Takeaways from CPPA Rulemaking and Litigation for California Businesses
In the meantime, California businesses should consider a few takeaways from this stop-and-go process.
1. Businesses Need to Prepare for Enforcement of New CCPA Regulations and Updates to Existing Regulations When Enacted
Businesses should not wait for the California Supreme Court to exercise its discretion to decide the California Chamber’s petition. Any decision will likely come after the Superior Court sets an enforcement date for the Agency’s 2023 regulations. Given statements from the Agency that “now would be a good time […] to ensure full compliance with all of our regulations,” businesses should be prepared to set and meet their own deadlines and be prepared for rapid enforcement activity once the stay is lifted.
This applies not only to compliance with the existing CCPA regulations, but also to the three sets of CCPA regulations currently in various stages of rulemaking. In the December 8, 2023, public meeting of the Agency board, the board indicated it would soon send its proposed cybersecurity audit regulations to formal rulemaking, meaning that the regulations could be finalized in as soon as six months, depending on the amount of comments submitted and the modifications required.
Meanwhile, at its upcoming public meeting on March 8, 2024, the board will consider advancing its proposed regulations on privacy risk assessments and automated decision-making technologies to formal rulemaking, along with proposed updates to existing CCPA regulations. Businesses should begin planning for compliance with all of these proposed regulations because of the possibility that the Agency will deem them immediately enforceable with no time to come into compliance.
2. Businesses Should Consider Seeking Delayed Enforcement for Future Regulations
As the three proposed regulations and updates to existing regulations proceed to formal public notice and comment, businesses may consider submitting comments on the significant harms that will result if new regulations are subject to enforcement immediately with no implementation period. During the December 8, 2023 board meeting, the board expressed a willingness to listen to business concerns about the deadline to comply with the proposed privacy risk assessment regulations and seemed open to setting a longer timeline for businesses to complete their first risk assessment (within 24 months of the effective date of the regulation, instead of 12 months). Businesses should monitor the Agency rulemaking proceedings and consider filing or joining comments advocating enforcement delays or implementation periods for all future CCPA regulations, as well any updates to the existing regulations, to afford businesses a reasonable period of time to prepare and some certainty for when enforcement will begin.
3. Businesses Should Review Updates to Draft CCPA Regulations to Prepare for Day 1 Compliance
In the December 8, 2023 meeting, the board made clear that it assumes that businesses are already closely tracking its decision-making activities and drafting process, and that potentially covered entities should already be preparing to comply with the regulations (even before the notice and comment processes begin). However, the proposed draft rules have already gone through several iterations and significant changes, meaning that businesses need to closely observe board proceedings and Agency materials to understand what they should expect to be included in final regulations. Businesses will need to monitor the Agency rulemaking process, track proposed requirements, and start to build and update responsive compliance approaches even before the rules are finalized to reduce the risk of further whiplash from immediate enforcement.
[View source.]
