In late June 2023, a California superior court held that enforcement of any final California Privacy Protection Agency (CPPA) regulation under the California Privacy Rights Act (CPRA) could not be implemented until one year after the regulations became final (March 29, 2024) because of delays associated with the CPPA's finalization of the regulations before the CPRA's effective date.

On February 9, 2024, a California court of appeal reversed the superior court's delay, restoring immediately the CPPA's authority to enforce its first set of regulations, which were finalized in March 2023. The March 2023 regulations revise and supplement the California Consumer Privacy Act (CCPA), addressing topics such as data processing agreements, consumer opt-out mechanisms, mandatory requirements for recognition of opt-out preference signals, and consumer request handling.

The ruling also enables the CPPA to begin enforcing other future regulations as soon as they are finalized, including regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, none of which will be subject to a 12-month stay of enforcement.

As a result of this decision, companies subject to California data privacy regulations (pretty much anyone who does business in California) should be prepared to comply with all final CPPA regulations and keep a keen eye on draft regulations, since the time between regulations being issued and enforced can now be greatly reduced.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.