In another unexpected twist concerning California Privacy Rights Act regulations, covered entities need not stress about enforcement of the rules this month as anticipated.
A last-minute decision from the Sacramento County Superior Court 30 June on a complaint filed by the California Chamber of Commerce pushed enforcement of CPRA regulations from 1 July to 29 March 2024.
The court-ordered delay pertains only to CPRA rules, not the body of the CPRA statute or regulations previously finalized under rulemaking provided for by the California Consumer Privacy Act. The California Privacy Protection Agency and the California Department of Justice can still bring enforcement actions on CPRA amendments to the CCPA as of 1 July.
While businesses have been preparing for enforcement this month, the delay to March 2024 means more time to properly acclimate to CPRA rules concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling.
“The plain language of the statute indicates the agency was required to have final regulations in place by 1 July 2022,” Sacramento County Superior Court Judge James Arguelles wrote in his decision. “The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.”
In February 2022, the CPPA openly acknowledged it would not meet its statute-mandated 1 July 2022 finalization deadline due to staffing and resourcing issues. The first of at least two sets of CPRA regulations were only just finalized 30 March 2023.
The CalChamber filed its complaint in response to the CPPA’s rulemaking lag and on grounds that there needed to be a reasonable and fully recognized transition period between finalization of the rules and their enforcement.
“In passing Proposition 24 (the CPRA ballot initiative), voters understood that businesses should be provided time to implement new rules before any enforcement action is taken,” CalChamber President and CEO Jennifer Barrera said in a statement. “The court underscored this today, recognizing that it would be unfair for the CPPA to enforce new regulations when the impacted businesses did not even know what was going to be required of them.”
The first set of CPRA regulations indicated the agency would perform discretionary enforcement starting 1 July with consideration of good faith compliance efforts and the the fact the transition window between rules finalization and enforcement was less than six months.
“Although we’re disappointed the court granted the Chamber’s request to delay enforcement of portions of the regulations enacted earlier this year, the Agency remains committed to advancing the privacy rights of Californians and will take the appropriate next steps to safeguard the protections Californians overwhelmingly supported at the ballot box,” CPPA Executive Director Ashkan Soltani said in a statement.
As the court decision was made public, the CPPA Board announced a 14 July open meeting that includes discussion on the agency’s enforcement process as well as enforcement updates and priorities. The board’s presentations will be the first open discussions on enforcement since Soltani made remarks at the IAPP Global Privacy Summit in April.
Judge Arguelles’ ruling also threw cold water on the potential enforcement of the CPPA’s second CPRA rulemaking endeavor. The agency is beginning its work rules for automated decision-making, risk assessments and cybersecurity audits, but any attempt to enforce the rules immediately upon their finalization will be prohibited.
“The agency has not indicated any timeline by which it plans to enforce the law in these remaining three areas,” Arguelles wrote. “As stated, the agency could plan to begin enforcing final regulations in these areas immediately upon their finalization, giving effected business no time to come into compliance. The court agrees with petitioner that this would not be in keeping with the voters’ intent.”