California Privacy Rights Act Enforcement Delayed

In a June 30, 2023 decision by the Superior Court of California, County of Sacramento, the Court issued a ruling delaying agency enforcement of final regulations under the California Privacy Rights Act (CPRA) until March 2024. Calfornia Chamber of Commerce v. California Privacy Protection Act, Case No. 34-2023-80004106-CU-WM-GDS (Sacramento Superior Court, June 30, 2023).

The California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA) provisions in the ballot initiative passed in 2020 by California voters are still in effect. However, enforcement of the final regulations implementing the CPRA, enacted on March 29, 2023 by the California Privacy Protection Agency (Agency) and which were set to go in effect on July 1, 2023, has been stayed by the California court until March 2024 (until one year after the enactment of the final CPRA regulations). Assuming the ruling is not overturned on appeal, it gives businesses another 9 months to become compliant with the final CPRA regulations. Businesses still need to remain compliant with the prior CCPA regulations in effect before the final CPRA regulations, including the CPRA provisions that were in the ballot initiative of 2020. The Agency has set a public meeting for July 14 to discuss enforcement and other topics.  

Notably, on March 29, 2023, the Agency issued final regulations with respect to only 12 of the 15 areas required by Section 1798.185 of the CPRA. The Court ruled that enforcement of these regulations was delayed until March 29, 2024. Enforcement of any regulations in the remaining three areas (cybersecurity audits, risk assessments and automated decision-making technology) will begin until a year after the Agency finalizes those rules. The Court did not mandate any specific date by which the Agency must finalize these remaining regulations.