In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. We previously issued an alert reminding businesses that the CPRA amendments to the CCPA become enforceable starting July 1, 2023, but, in accordance with the court’s ruling, the Agency’s recent modifications to the CCPA regulations to account for the CPRA’s changes to the CCPA now will not become enforceable until March 29, 2024. Per the court’s ruling, the prior CCPA regulations will remain in effect until the new regulations become enforceable.
If this decision is not overturned, it will mean that businesses will now have until March 29, 2024, to come into compliance with the updated CCPA regulations before the Agency can enforce violations of those regulations. The court did not grant the California Chamber of Commerce’s (the “Chamber’s”) request that enforcement of the underlying CPRA statute be delayed.
In November 2020, California voters approved Proposition 24, also known as the CPRA, which amended the CCPA to create the Agency and require it to adopt final regulations for the amended statute by July 1, 2022. The CPRA further prohibited civil or administrative enforcement of the statute’s amendments (including as amended by the final regulations) until July 1, 2023. The Agency released its first set of proposed regulations on July 2, 2022, which it modified in November 2022, and finalized the regulations on March 29, 2023.
On March 30, 2023, the Chamber filed suit to enjoin enforcement of the CPRA and its implementing regulations. The Chamber argued that the CPRA required the Agency to adopt final regulations by July 1, 2022, but failed to do so until March 29, 2023, and California voters clearly intended to give businesses one year after the regulations were finalized to come into compliance. The Chamber further argued that, because of the Agency’s delay with the rulemaking process, businesses were faced with the difficult and burdensome requirement to comply with these complicated regulations within three months, instead of the one-year grace period contemplated by the statute.
- The Agency Failed to Meet its Required Deadlines. The court agreed with the Chamber that the text of the CPRA required the Agency to finalize the CPRA’s implementing regulations by July 1, 2022, that the Agency failed to meet that deadline, and that California voters intended to give businesses one year to come into compliance after finalizing the regulations.
- Enforcement of the Finalized CPRA Regulations. The court granted in part the Chamber’s petition for a writ of mandate commanding the Agency and other civil officers not to enforce any CPRA implementing regulations until after one year after the individual regulation becomes final. The court clarified that this does not require the Agency to complete all of the rulemaking required by the CPRA before it can begin enforcement of any regulations. Rather, the enforcement delay will be tied to individual regulations as they are finalized. Since the Agency issued final regulations with respect to 12 of the 15 areas required by the CPRA on March 29, 2023, the enforcement of those regulations can begin on March 29, 2024. With respect to the remaining three areas (cybersecurity audits, risk assessments, and automated decision-making technology), enforcement of any regulations in those areas cannot begin until a year after the Agency finalizes those rules.
- Enforcement of CCPA and CPRA v. CPRA regulations. The court’s decision focused on the ability to enforce the CPRA implementing regulations as contemplated by the timeline set forth in the statute. The court clarified that the existing (pre-CPRA) CCPA regulations will remain in full force and effect until the superseding regulations finalized by the Agency become enforceable next March. Left unresolved is whether and how the Agency’s and the California’s Attorney General’s ability to enforce the underlying provisions of the text of the statute will be impacted, if at all, and how certain pre-CPRA regulations can be enforced where their statutory basis was subsequently amended. The Agency has scheduled a public meeting for July 14, 2023, to discuss enforcement and other topics, and plans to hold a closed session to confer regarding the court’s decision.
Assuming the ruling is not overturned on appeal, this decision will give businesses more time to comply with the updated CCPA regulations. Wilson Sonsini will keep monitoring the situation and provide any updates on CCPA enforcement.Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA or other state privacy law compliance efforts, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.