Recent Decision from the California Third District Court of Appeals Sparks Potential Enforcement of Privacy Regulations

Raymond Aghaian, John Brigagliano, Meghan Farmer, Samuel Hyams, Amanda Witt
Kilpatrick
Contact
LinkedIn
Facebook
X
Send
Embed

Kilpatrick

The California Privacy Protection Agency (the “Agency”) may start enforcing privacy regulations according to a recent decision from the California Third District Court of Appeal. The privacy regulations at issue stem from the California Privacy Rights Act (“CPRA”), which voters approved in 2020 through Proposition 24. Proposition 24 expanded California’s comprehensive privacy law, the California Consumer Privacy Act (“CCPA”), and created the Agency, which has broad authority to regulate and enforce laws governing privacy-related matters. These privacy regulations describe how businesses must comply with the CPRA. For example, the rules prescribe detailed steps that businesses must follow for effecting a consumer’s right to correct, access or delete personal information and make choices about the selling of personal information and uses of “sensitive” personal information. These regulations went into effect in March 2023 and the Agency was to begin enforcing them in July 2023.

Although the CPRA required the CPPA to finalize rules by July 1, 2022, the agency finalized the rules over half a year later. A day after the first set of regulations went into effect, the California Chamber of Commerce sued the Agency, arguing that businesses lacked adequate time to comply with the regulations, their effective date (March 2023) and enforcement date (July 2023). In June 2023, a trial court agreed with the Chamber and ordered the Agency to stay enforcement of the March 2023 regulations for one year.

In a February 9, 2024 opinion, the appellate court overturned the lower court’s decision, holding that the Agency’s authority to enforce the March 2023 regulations should have been effective on July 1, 2023. The court noted that there is “no ‘explicit and forceful’ language” in the CPRA which “mandat[es] that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations[.]” While the appellate court’s decision advances the enforcement timeline of the initial CPRA regulations by seven weeks, subsequent rulemaking will not be subject to a 12 month waiting period once final regulations are approved. The CPPA is actively formulating regulations for Cybersecurity Audits, Risk Assessments, and Automated Decisions Making.

“The California voters didn’t intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here,” said Michael Macko, Deputy Director of Enforcement for the California Privacy Protection Agency. “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

To avoid enforcement actions, businesses should immediately implement procedures that comply with these latest privacy regulations. The statute and rules apply to employees’ and business contacts’ personal information, in addition to persons traditionally considered to be “consumers.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kilpatrick | Attorney Advertising

Written by:

Kilpatrick
Kilpatrick
Contact
more
less

Kilpatrick on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide