You are likely aware of headlines spreading the news of a recent Superior Court of California decision that has delayed the enforcement of the California Privacy Rights Act (“CPRA”) regulations until March 29, 2024. However, while the enforcement of the regulations has been delayed until March of next year, the CPRA itself remains in effect (since January 1, 2023) and is enforceable.
On June 30, 2023—the eve of the July 1, 2023 enforcement date of the CPRA regulations—a California state court judge granted an injunction delaying enforcement of the CPRA regulations until March 29, 2024. The court found that the regulations could not be enforced on July 1, 2023 because this did not give the adequate one-year notice from March 29, 2023, when the regulations were published. See Cal. Chamber of Comm. V. Cal. Privacy Protection Agency, 34-2023-80004106-CU-WM-GDS (Cal. Sup. Ct. June 30, 2023). Specifically, the court found that the voters who enacted the CPRA by ballot initiative intended businesses to have a 12-month grace period between the adoption of final regulations and their enforcement. Id. Accordingly, the court held that enforcement of any final regulation under the CPRA must be stayed for a period of 12 months from the date that individual regulation becomes final. For the first set of CPRA regulations that became final on March 29, 2023, that means enforcement must wait until March 29, 2024.
Takeaway: While this may seem like a nine-month reprieve, this should not be the time for companies to halt or delay CPRA compliance efforts. The CPRA itself is still in effect and enforceable even if the regulations are not. If businesses have not already done so, they should use this opportunity to finalize compliance under the CPRA and its current regulations. Additionally, this decision indicates that businesses will have a year to put into place compliance processes for any new regulations promulgated in connection with the CPRA going forward (e.g., for automated decisionmaking, data impact assessments, and other regulations still forthcoming), which is good news for businesses and compliance officers.
The landscape of data privacy laws is constantly changing—with new states enacting new data privacy laws each week. By staying on top of CPRA compliance needs now, businesses will be in a better position to pivot quickly to adjust to new applicable state laws and new regulations yet to be issued under the CPRA.