On February 9, 2024, the California Third District Court of Appeals in Sacramento overturned a lower court order that postponed enforcement of the California Privacy Protection Agency’s (CPPA) newest rules. The decision restores the authority of the CPPA and California Attorney General to enforce the latest regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (“updated CCPA regulations”).
The updated CCPA regulations, which cover 12 out of 15 subject matter areas delineated in the CPRA, were originally scheduled to become enforceable starting on July 1, 2023. But a lawsuit from the California Chamber of Commerce last summer unexpectedly stayed enforcement until late March 2024. The Chamber had argued the CPRA requires a one-year delay between the effective date and the enforcement date of a final regulation. The CPRA contains several statutory due date provisions that, according to the Chamber, amounts to a prescribed one-year delay between the deadline for the CPPA to adopt final regulations (July 1, 2022) and the enforcement of those regulations (July 1, 2023). But while the CPPA was required to adopt CPRA regulations by July 1, 2022, it failed to do so until March 29, 2023. The Chamber sued, arguing there was not enough time for businesses to comply with the new regulations. The trial court sided with the Chamber, finding an inferred one-year delay for enforcement when a new rule is issued.
The appellate court reversed, stating that it could not infer such a gap. It stated that “[the CPRA] does not unambiguously require a one-year gap between approval and enforcement regardless of when the [regulation] approval occurs” and “there is no clear, unequivocal language mandating a one-year delay between approval and enforcement.” According to the court of appeals, “because there is no ‘explicit and forceful language’ mandating that the Agency is prohibited from enforcing the CPRA until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise.”
The appellate court’s decision makes the updated CCPA regulations finalized on March 29, 2023, immediately enforceable and lurches forward the expected compliance due date for major portions of the CPRA by several weeks. Additionally, assuming no further court challenges, the ruling would allow future CPRA regulations (most notably, those covering the remaining three subject matter areas of cybersecurity audit, risk assessment, and automated decision making technology) to begin enforcement immediately upon final adoption without being subject to a one-year delay.
The decision is a significant victory for the nascent CPPA and the California Attorney General’s Office, which has strongly signaled its intent to pursue vigorous enforcement across a diverse range of covered businesses. For example, on January 26, 2024, the California Attorney General’s Office announced a new investigative sweep, seeking information from businesses with popular streaming apps and devices on their compliance with the CCPA’s consumer opt-out requirements. And last summer, the Attorney General’s Office announced enforcement sweeps targeting large California employers with respect to the personal information of employees and job applicants and the data practices of connected vehicle manufacturers and related technology companies.
With an upswing in CCPA enforcement already underway, businesses should evaluate their data practices and implement appropriate compliance measures as soon as possible. Relatedly, in response to the court victory, Michael Macko, Deputy Director of Enforcement for the CPPA stated: “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.” We expect the California Attorney General’s Office and the California Privacy Protection Agency to continue their trend of rigorous investigation sweeps and enforcements.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and has deep experience representing companies subject to privacy regulatory investigations. For more information or advice concerning your CCPA or other state privacy law compliance efforts, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Doo Lee, or any member of the firm’s privacy and cybersecurity practice.