Reprieve! Enforcement of California’s CPRA Regulations Delayed Until March 2024
In a last-minute ruling, a California judge just delayed enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024. Enforcement of the regulations was otherwise set to commence tomorrow, on July 1. This delay is a nice reprieve for businesses subject to the California Consumer Privacy Act (CCPA), but it is not a wholesale carveout from any enforcement of the CPRA. Below is a discussion of the implications on businesses and the next steps you should take.
How We Got Here
The overview: In 2020, the California voters passed the CPRA by ballot initiative. While agency officials originally promulgated regulations based on the original version of the CCPA, the new statute called for further regulations to flesh out the new requirements of the law. They were to be completed no later than July 1, 2022, with enforcement starting July 1, 2023.
The California Privacy Protection Agency (CPPA), which is responsible for drafting the regulations, was unable to complete its rulemaking process by the July 1, 2022, deadline and finalized the regulations on March 29, 2023 – nine months late. This gave businesses a scant three months to get into compliance with the regulations.
The very next day, the California Chamber of Commerce filed a lawsuit seeking to delay enforcement of the regulations. The Chamber sought to delay enforcement of the entire CPRA until one year after all regulations were completed, noting that the agency was still working on rules related to cybersecurity audits, risk assessments, and automated decision-making. In other words, businesses would have been looking on at least a one-year reprieve if the Chamber’s request had been granted.
This afternoon, a Sacramento Superior Court granted the Chamber’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024. The Court further ruled that any future regulations passed by the CPPA would likewise have a one-year delay from when they were enacted. However, it did not go quite as far as the Chamber requested and delay enforcement until all rulemaking was completed.
What This Ruling Means for Businesses Subject to the CCPA
The good news: there is another nine months to get fully compliant with the March 29, 2023 regulations. Until the new regulations go into effect, the prior version of the regulations – which interpret the CCPA prior to the CPRA – remain in effect.
Now, the bad news: this is not a wholesale delay of enforcement of the CPRA. Businesses still need to comply with the CPRA provisions which were in the ballot initiative, even if they have a reprieve from the more detailed requirements under the regulations.
Next Steps for Businesses
Given this recent ruling and new timeline, businesses are no doubt asking what they should do now and what to prioritize. Here are the key takeaways:
- The employee, job applicant, independent contractor, and business-to-business exemption are still expired as of January 1 of this year. That was NOT affected by this Court ruling. As such, if you have not already done so, your business needs to update its CCPA notices and privacy policies to fully address these groups of California residents and their CCPA rights.
- The CPPA can still enforce the CCPA and the CPRA – it just cannot enforce the March 29, 2023 CPRA regulations. If you are still working on compliance with the CCPA, the original CCPA regulations from 2020, and the CPRA, you need to get into compliance immediately.
- Businesses should take a look at how they are prioritizing various components of CPRA compliance. With the delay of enforcement of the regulations, priority should to:
- Focus on ensuring compliance with the requirements that are enforceable today;
- Review the March 29, 2023 regulations and understand how they will affect your current practices;
- Finalize an approach and the action items you will take towards compliance with the regulations;
- Ensure the business and those involved with CCPA compliance understand the obligations and what’s ahead.
There are several components to compliance with the CCPA – affecting multiple business units with operational considerations to make. Becoming compliant can be a lengthy process so businesses should make sure to take advantage of this time to get fully compliant without delay.
Fisher Phillips will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information direct to your inbox. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or an attorney on the firm’s Consumer Privacy Team. You can also visit our firm’s CCPA Resource Center at any time.