California Appeals Court: Enforcement of CPRA Regulations is Now!

On February 9, 2024, the California Third District Court of Appeals in Sacramento overturned last year’s decision to postpone the effective date for the CCPA Regulations to July 2024. 

In July 2022, the California Privacy Protection Agency (CPPA) initiated the adoption of CCPA regulations, aiming to align them with CPRA enhancements and streamline the legal requirements for better comprehension and application. 

The process was completed on March 29, 2023, when the Office of Administrative Law (OAL) ratified the final version of the proposed CPRA Regulations and officially recorded them with the Secretary of State so they could take immediate effect. The version of the Regulations addressed 12 of the 15 topics outlined, leaving regulations on cybersecurity audits, risk assessments, and automated decision-making technologies pending, with no expectation of completion by July 1, 2023.

In short, back in July of 2023 the situation looked as follows: 

• By July 1, 2022, all 15 regulatory areas should have been established;
• Enforcement was scheduled to commence on July 1, 2023, after providing a one-year adaptation period for businesses;
• With only 12 areas addressed by March 29, 2023, the imminent enforcement date posed a preparation challenge for California businesses;
• The Superior Court of California determined the CPPA failed to timely complete the regulations, allowing enforcement of the finalized sections to start on March 29, 2024;
• The Court also specified that enforcement of any CPPA regulation finalized under Subdivision (d) would be deferred for 12 months from its finalization date, without setting a deadline for the CPPA to complete the regulation process.

In the overturning, the Court argued that 

[]he statute does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap. Because the Agency did not have “clear, present, and ministerial duty” to delay enforcement of its final regulations for a year after their approval, and the Chamber did not have “a clear, present and beneficial right” to the delay in enforcement that it sought

and as such there should have been no postponement of the enforcement of the 12 regulated areas.

The argument of the Chamber of Commerce in their appeal was that under the CPRA, the CPPA was mandated to finalize these regulations by July 1, 2022, offering businesses a year-long preparation window before the July 2023 activation of the new regulations. However, because of the potential challenges posed for California businesses due to the incomplete regulation set as of March 29, 2023, the California Chamber of Commerce filed a lawsuit against the CPPA seeking to postpone the enforcement of these regulations. In their overturning of the decision to postpone the Appeals Court argued the following:

Although the specific statutory provision at issue here includes what amounts to a one-year delay between the deadline for the Agency to approve final regulations required by the Act (July 1, 2022) and the Agency’s authority to enforce the Act (July 1, 2023), there is no clear, unequivocal language mandating a one-year delay between approval and enforcement. The Chamber has not pointed to, and we have not found, any language in the Act convincing us that the proper remedy for the Agency’s failure to timely approve final regulations (i.e., comply with the July 1, 2022, deadline) is to disregard the July 1, 2023, enforcement date explicitly set forth in the statute and stay enforcement of any untimely regulation until one year after that regulation becomes final. There is no express statutory language prescribing such a consequence.

As such, the Court stated, 

[...] because there is no “explicit and forceful language” mandating that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise.

In light of this latest decision, the CCPA Regulations, as finalized on March 29, 2023, are enforceable effective immediately. 

Unless the effective date for the final CCPA Regulations is further challenged in court, businesses no longer have until July 2024 to prepare, and for the remaining 3 areas, cybersecurity audits, risk assessments, and automated decision making technology, enforcement would also begin immediately upon their final adoption, without the one year delay being available to covered entities. 

This ruling marks a notable triumph for both the emerging California Privacy Protection Agency (CPPA) and the Attorney General's Office of California, underscoring their clear commitment to actively enforce the regulations among a wide spectrum of businesses under its jurisdiction, some which include last summer’s  investigative sweep of large California employers as regards the personal information of employees and job applicants, which we discussed in a related blog post on CCPA Regulations and Employment Related Data, or the most recent announcement dates January 26, 2024, of yet another investigation of streaming services and their compliance with the CCPA.