On Friday, June 30, 2023, the Superior Court of California (Sacramento Division) delayed enforcement of regulations under the California Privacy Rights Act of 2020 ("CPRA") until one year after adoption – or March 29, 2024. The regulations were published by the California Privacy Protection Agency ("Agency") on March 29, 2023. The court further held that future CPRA regulations also will not be enforceable until one year after adoption.
GROOM INSIGHT: Notably, the delay does not
appear to impact the carve-out in the CPRA for health plans and
insurers subject to the HIPAA privacy rules or personal information
subject to the Gramm-Leach-Bliley Act. So, those carve-outs
continue to apply.
In addition, the delay does not address the "employer"
exception that was included in the original California Consumer
Privacy Act ("CCPA"). That exception sunsetted on
December 31, 2022 and remains expired.
As background –
- CCPA – The California legislature first adopted the CCPA in 2018. The CCPA was intended to enhance privacy rights and consumer protections for California residents. The California Department of Justice ("DOJ") promulgated an initial round of regulations implementing the CCPA on August 14, 2020, which were amended on March 15, 2021.
- CPRA – In November 2020, California voters passed the CPRA (in Proposition 24), which amended the CCPA. On March 29, 2023, the newly-formed Agency issued regulations under the CPRA, which updated the 2020 and 2021 regulations previously published by the DOJ under the CCPA.
The delay adopted by the Superior Court relates only to regulations adopted under the CPRA. The Superior Court specifically states that (emphasis added):
The Petition is granted, in part. Enforcement of any final Agency regulation implemented pursuant to Subdivision (d) will be stayed for a period of 12 months from the date that individual regulation becomes final, as described above. The Court declines to mandate any specific date by which the Agency must finalize regulations. This ruling is intended to apply to the mandatory areas of regulation contemplated by Section 1798.185, subdivision (a). Consistent with the plain language of Section 1798.185, subdivision (d), regulations previously passed pursuant to the CCPA will remain in full force and effect until superseding regulations passed by the Agency become enforceable in accordance with the Court's Order.
The first set of CPRA regulations were finalized on March 29, 2023, so these regulations will not be enforceable until March 29, 2024 – one year after the date of adoption. Going forward, future CPRA regulations also will not be enforceable until one year after adoption. However, regulations the DOJ adopted in 2020/2021 under the CCPA were not impacted by the Court's decision.
GROOM INSIGHT: While there may be a little
breathing room regarding enforcement of the CPRA under this court
order as the California regulators review how to proceed, the
overall outcome is that employers and benefit plans that are not
subject to the HIPAA or Gramm-Leach-Bliley exceptions still should
be working toward compliance, where applicable, since the current
CCPA regulations are still enforceable, and the CPRA regulations
will be enforceable in March 2024.
Such employers and benefit plans can use this time to review their
positions on applicability, take inventory of information subject
to these rules, and plan and execute steps for compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.