By Scott Hall and Amber Leong
The California Court of Appeal just issued an opinion reversing a trial court decision from last year that stayed enforcement of the California Privacy Rights Act (“CPRA”) Regulations.1 If you recall, last year, on June 30, 2023 – the eve of when the regulations were to take effect – a California trial court issued a ruling and injunction halting the regulations from going into effect. The trial court found that the statute required a one-year delay from when the regulations were finalized to when they could take effect. Accordingly, because the regulations were finalized on March 29, 2023, they would not take effect until March 29, 2024.
Attorney General Rob Bonta, on behalf of the California Privacy Protection Agency (“CPPA”),2 appealed the trial court’s ruling. Last Friday, on February 9, 2024, the California Court of Appeal issued its opinion in Cal. Priv. Protection Agency v. Sup. Ct. of Sac. Cty., C099130 (Cal. Ct. App. Feb. 9, 2024). In a unanimous opinion, the California Court of Appeal reversed the trial court decision. In so doing, the Court found that nothing in the statutory language of the CPRA “unambiguously require[s] a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material[s] presented for our review signals that the voters intended such a gap,” id. at 19, “even if the specific statutory provision at issue . . . include[d] what amounts to a one-year delay,” ibid. (original emphasis included). Thus, the California Court of Appeal vacated the trial court’s order and judgment that had stayed the CPPA’s regulations “for a period of 12 months from the date that [each] individual regulation becomes final.” Id. at 22.
What this means is that the regulations take effect now – a little less than two months earlier than the expected March 29, 2024 date.
The California Court of Appeal’s ruling, though, has broader significance for pending and future regulations for which the CPPA has not issued final regulations yet – including cybersecurity audits, risk assessments, and automated decision-making. Under the Court of Appeal’s ruling, these regulations can presumably take immediate effect once they are finalized, rather than having a one-year waiting period. It remains to be seen whether the CPPA will provide a certain period of time for businesses to prepare for new regulations as they are finalized, or whether the CPPA will seek to enforce new regulations without delay in light of this ruling, though the CPRA regulations do provide that the CPPA should consider the time between the effective date of regulatory requirements and alleged violations, among other things, in deciding whether to pursue an investigation. (CPRA Regulations § 7301(b).)
With the CCPA’s original 30-day notice-and-cure provision eliminated, and both Attorney General Rob Bonta and the CPPA signaling their intent to increase enforcement of California consumers’ privacy rights, companies should work to become immediately compliant with the current CPRA regulations and should also work towards compliance with draft regulations regarding cybersecurity audits, risk assessments, and automated decision-making as there is no clear waiting period before those regulations can go into effect once finalized. In sum, businesses will need to closely monitor and always be ready for CPRA regulatory enforcement.
Please contact the Coblentz Data Privacy Team with any questions or assistance on these compliance issues.
To view a PDF version of this article, please click here.
[1] Pursuant to the CPRA, a law which was enacted by California voters through Proposition 24 and which amended the California Consumer Privacy Rights Act, authorized for regulations to be promulgated in support of therein and at issue here, and created the CPPA.
[2] The CPPA is the enforcement agency created to enforce the privacy rights of California residents.