The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency ("CPPA") back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.
This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month "grace period" for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce ("the Chamber") filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA's enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.
In finding for the Chamber's position that the voters intended a twelve month moratorium on enforcement, the Sacramento Superior Court gave some significant relief to businesses who process data on California residents. However, the Court didn't fully embrace all the arguments of the Chamber. The Court recognized that the voter's intent was to give businesses 12 months to prepare for enforcement of any regulation that has been finalized. As a consequence, the Chamber's argument that enforcement cannot start until after all the regulations were finalized did not find success. This is because the Court recognized that since the CPPA does not have a time certain that the last three areas of the CCPA which require regulation will be finished, there would potentially be a perpetual moratorium on enforcement. As such, for any properly promulgated regulations of the CCPA, enforcement may only begin twelve months after promulgation.
Since the existing regulations were finalized and adopted May 29, 2023, under the Court's order, enforcement may only begin - for those regulations - on May 29, 2024. For the as-yet-final regulations covering cybersecurity audits, risk assessments, and AI, those regulations will have to wait until twelve months after they are final for enforcement.
For those of us who have been working non-stop to get into CCPA compliance within three months of the regulations being adopted, it will be very nice to be able to take the Independence Day off. Despite the temporary CPRA reprieve, however, the Colorado and Connecticut privacy laws are still taking effect on schedule tomorrow, July 1, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.