On February 9, 2024, the California state court of appeals mandated a trial court to vacate its order and judgment prohibiting the California Privacy Protection Agency (the “Agency”) from enforcing the California Privacy Rights Act regulations (the “CPRA Regulations”) until March 29, 2024. The Agency will be able to enforce the CPRA Regulations upon the trial court vacating its order and judgment.
The CPRA Regulations impose requirements on businesses in areas including the secondary processing of personal information, methods for consumers to submit privacy rights requests, obtaining consumer consent, and implementing privacy policies. The CPRA Regulations also govern the Agency’s investigation and enforcement powers, including the Agency’s authority to audit businesses to ensure compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CPRA”).
On June 30, 2023, a California trial court granted the California Chamber of Commerce’s petition to delay enforcement of the CPRA Regulations for a year from when they became effective finding that California voters, in approving CPRA, intended for a one-year enforcement delay. CPRA, as drafted, required the Agency to promulgate regulations by July 1, 2022, but delayed enforcement of those regulations until July 1, 2023. The California Chamber of Commerce successfully argued that the year gap between the deadline and enforcement date showed that voters intended for enforcement of the CPRA Regulations to be delayed for a year. The trial court stayed enforcement of the CPRA Regulations until March 29, 2024, a year from when the regulations took effect on March 29, 2023.
The California state court of appeals disagreed with the trial court, reasoning that CPRA would have explicitly stated that enforcement would be delayed a year from the date the CPRA Regulations were approved if the intent was to create such a delay, instead of providing the July 1, 2023, enforcement date. The court of appeals acknowledged that the Agency failed to meet the July 1, 2022, deadline to issue regulations, but that the trial court did not rule on that issue.
The trial court’s decision raised a question of whether a party could also seek to delay the enforcement the regulations the CPPA is developing as part of a new preliminary rulemaking process in the areas of cybersecurity audits, risk assessments, and automated decisionmaking technology. The court of appeals’ mandate to the trial court to vacate its decision to stay enforcement strongly suggest otherwise, however.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments regarding CPRA rulemaking and provide additional information as it becomes available. Please contact us if you have any question.