The landscape for privacy regulations in the United States has been changing almost weekly. Most recently, Oregon and Delaware have joined California in enacting some of the strictest privacy regulations in the country. Now, amid increased public scrutiny on how personal information is collected, stored, and shared, the courts have pumped the breaks on some privacy rights.

California Delays CPRA Enforcement Until March 29, 2024

This ruling is not the only privacy push back California recently received from the courts. On June 30, 2023, in California Chamber of Commerce vs. California Privacy Protection Agency, Judge James P. Arguelles ruled in favor of the California Chamber of Commerce, finding that the California Privacy Rights Act (CPRA), which was set to go into enforcement on July 1, 2023, required the privacy agency to finalize regulations by July 1, 2022. The court highlighted that only 12 of the 15 regulations were finalized on March 29, 2023 and that three are still pending. The court found that voters expect enforcement to be delayed until one year after all regulations are finalized. In light of the fact that the privacy agency finalized its regulations on March 29, 2023, Judge Arguelles held that the earliest California can start enforcing the CPRA is March 29, 2024. Judge Arguelles clarified that the March 29, 2024 enforcement date only applies to the 12 passed regulations, and that the three pending regulations, once passed, can become enforceable 12 months from the date of finalization.

Judge Arguelles emphasized that his decision only applies to the regulations put in place by the new privacy agency and not rules that were previously established by the California Attorney General (AG) under the 2018 California Consumer Privacy Act (CCPA). For purposes of background, the CPRA is an amendment to the CCPA, which provides the majority of privacy regulations. The CPRA expands consumer rights such as restricting the use of sensitive personal information, the right to correct inaccurate personal information, the right to prevent entities from storing data longer than is necessary for the purpose the data was collected, etc.

Although the delay in enforcing the CPRA is a setback for the privacy agency, the CCPA has long been in effect and enforced by the California AG's Office. It has subjected companies to fines of $2,000 per violation, $2,500 for negligent violations, and $7,500 for willful violations. Most notably, Sephora entered into a $1.2 million settlement for failing to cure CCPA violations within 30-days of notice.

California AG Bonta Kicks Off CCPA Investigatory Sweep

Enforcement is about to ramp up. On Friday, July 14, 2023, California Attorney General Rob Bonta sent inquiry letters to large California employers requesting compliance information as it pertains to the CCPA. The AG's Office is focusing its investigative sweep on how employers handle employee and job applicants' personal information.

Although the CCPA has long been in effect, some businesses have not yet updated their privacy policies. With heavy fines and an investigative sweep underway, businesses should act now and work with knowledgeable law firms such as Steptoe & Johnson LLP to review their privacy policies to ensure compliance with existing and future laws. Although rumor once was that European General Data Protection Regulation (GDPR) compliance ensures US compliance, this has not been true for quite some time given the complex, strict, and differing state privacy laws across the United States.

Ninth Circuit Finds Oregon Wiretap Statute Unconstitutional

On Monday, July 3, 2023, the Ninth Circuit in a split decision in Project Veritas et al. v. Michael Schmidt et al., held that Oregon's wiretap statute—Section 165.540 of the Oregon Revised Statutes, which makes it a felony to secretly record people in public places—violates the First Amendment. The majority opinion held that the statute cannot survive the First Amendment's strict scrutiny test, because it is not "narrowly tailored to address the state's compelling governmental interests," and the law "burdens more protected speech than is necessary to achieve its state's interest." Notably however, the Circuit's ruling is limited to recordings conducted in public places.

This decision targeted Oregon's in-person wiretap statute which requires "all party consent" when recording conversations in public. "All party consent," or sometimes referred to as "two party consent," requires that all parties that partake in a conversation give consent to be recorded. This decision will likely impact other "all party consent" states such as California, Colorado, Delaware, *Connecticut, Florida, Illinois, Maryland, Massachusetts, *Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Some states (*) such as Oregon, Connecticut, and Michigan are considered "mixed consent" states since these states have different laws for in-person versus digital communications. For example, Oregon requires "all consent" for in-person recordings but only "one party consent" for digital communications. "One party consent" requires that only one person to the conversation consent to the recording of the conversation.

Although the Oregon Attorney General's office is "considering seeking further review," spokesman Roy Kaufmann emphasized that "if this decision stands, the Oregon legislature should act swiftly to consider whether to fix our laws to reinstate some protections against secretly recording conversations." This is advice other "all party consent" states within the Ninth Circuit should also consider (California, Montana, and Washington).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.