On June 30, 2023, California Superior Court Judge James P. Arguelles held that the California Privacy Protection Agency (the “Agency”) cannot enforce any violation for the Agency’s regulations issued on March 29, 2023, under the California Consumer Privacy Act (CCPA), as amended by the California Consumer Privacy Rights Act (CPRA) until March 29, 2024. This holding stems from a petition brought by the California Chamber of Commerce (the “Chamber”) against the Agency, arguing that based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulations.
Although enforcement of the Agency’s regulations are delayed, the text of the CCPA, as well as regulations enacted prior to March 29, 2023, remain in effect and enforceable. The enforcement stay solely bars the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.
The Original Delay
The CPRA notes that “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022” and “ [n]otwithstanding any other law, civil and administrative enforcement … shall not commence until July 1, 2023[.]”
The Agency, however, only implemented twelve of the fifteen topics contemplated by the CPRA on March 29, 2023. This provided businesses with only three months to modify any existing business practices needed to comply with the July 1, 2023, enforcement date; absent any notice as to the effectiveness of the remaining three topics. To this day, however, regulatory guidance regarding cybersecurity audits, automated decision-making technology, and risk assessments have still not been implemented. The Agency noted publicly that they did not intend to enforce the three outstanding regulations, but fully intended to enforce the twelve implemented regulations as soon as July 1, 2023.
The Chamber’s Lawsuit
The Chamber filed a petition for writ of mandate to delay enforcement of the twelve implemented regulations (along with other causes of action). The Chamber argued all fifteen regulations were to be implemented by July 1, 2022 and that the language of the CPRA indicated that voters intended for businesses to have one year from when the regulation was implemented before enforcement.
In contrast, the Agency argued that “the text of the [CPRA] is not so straightforward to confer a mandatory promulgation deadline of July 1, 2022[.]” The Agency also argued that voters did not intend for businesses to have a year-long grace period from the approval of final regulations and the enforcement.
The Scope of the Delay
The Court agreed in part with the Chamber that the plain language of the CPRA clearly established that voters intended for there to be a gap between the approval of final regulations and violation enforcement of said regulations. The Court stated the Agency is not to enforce any violation for a regulation until one year from the date the regulation was implemented.
While the Court agreed with the Chamber that the CPRA required the Agency to have published all final regulations by July 1, 2022, the Court declined to mandate a specific date by which the Agency must finalize all regulations. The Court deemed the Chamber’s two other causes of action moot.
While the Court’s determination provides California businesses with breathing room, businesses should still be mindful of the Agency’s impending enforcement dates. As previously mentioned, the Agency will be able to enforce violations for the twelve implemented regulations on March 29, 2024. The three outstanding regulations will be enforceable violations one year from the day the three outstanding regulations are implemented. It is unclear at this time if the Agency will attempt to appeal the Superior Court’s order.
Taft will continue to monitor developments regarding compliance dates under the CPRA. As the legal landscape continues to evolve, Taft’s Privacy and Data Security Practice is ready to assist. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.
Taft summer associate Celeste Friel contributed to the research and writing of this article. Celeste attends the University of Dayton School of Law in Dayton, Ohio.