Enforcement of California Privacy Regulations Stayed Until 2024
In a surprise turn of events, the Superior Court of California for the County of Sacramento sided with the California Chamber of Commerce and held that the California Privacy Protection Agency (“Agency”) is stayed from enforcing its final regulations issued under the California Privacy Protection Act, as amended by the California Privacy Right Act (collectively “CCPA”), until March 2024.
In a petition that turned largely on issues of statutory interpretation, the Chamber argued that under the California Privacy Rights Act amendment to the CCPA the Agency was required to issue its final CCPA regulations by July 1, 2022, but did not. And, according to the Chamber, enforcement of the CCPA regulations could not begin until one-year after issuance of the final regulations, in order to allow impacted businesses time to become compliant with the requirements. Given that the Agency in fact issued its final regulations on twelve of the fifteen areas contemplated by Section 1798.185 on March 29, 2023, according to the Chamber this one-year window for enforcement means that the Agency is prohibited from enforcing the CCPA regulations until March 2024.
In a tentative ruling, upheld during oral argument, the Superior Court of California agreed with the Chamber’s interpretation.
What is a Tentative Ruling?
In California state court, a tentative ruling is the proposed ruling of the Court usually issued at least one day before scheduled oral argument. Under the rules governing tentative ruling procedures, a party that wishes to oppose the tentative ruling may continue with oral argument before the Court. On June 29, 2023, the Court issued its tentative ruling staying enforcement of CCPA regulations and on Friday June 30, 2023, the Agency determined to contest the Court’s tentative ruling on CCPA regulation enforcement, and oral argument was held before the Court.
Was the Tentative Ruling Upheld?
Yes. Ultimately, the Court was not persuaded by the Agency’s position that it did not have to comply with the July 1, 2022 deadline for final regulations, but that a July 1, 2023 enforcement date should still be in effect. Rather, the Court agreed with Petitioner, the Chamber, that a 12-month window for enforcement of the regulations was reflective of voter intent and statutory language.
What is the Scope of the Enforcement Stay?
The stay applies to the Agency’s enforcement actions under the CCPA final regulations only. As noted, these regulations address twelve of fifteen areas the Act contemplates will be subject to rulemaking process; rulemaking on three additional areas – cybersecurity audits, privacy impact assessments and automated decision making – remain outstanding and are generally expected by the end of the year. Subject to the Court’s ruling, it is most likely that these forthcoming regulations will also be subject to a 1-year window for enforcement following their promulgation date.
The stay does not purport to apply to the California Attorney General (“AG”)’s ability to enforce the Act’s statutory provisions, as it has already done in several ways, including through full-fledge enforcement actions and notices of violations such as its 2022 settlement with Sephora Inc., and the AG’s more recently announced investigated sweep targeting mobile apps. It is expected that AG enforcement will continue during this time.
Additionally, the Agency arguably retains its authority to enforce the Act’s statutory provisions, insofar as they are not dependent on the regulations. This includes the Act’s core components – do not sell requirements, honoring consumer requests, third party contracts and transparency obligations. It is important to remember that the Agency itself indicated in its Final Statement of Reasons accompanying the CCPA final regulations that the regulations are clarifications to the Act, and the Act itself remains in effect. Indeed, following the Court’s decision, an Agency official stated that “significant portions” of the law can be enforced by the Agency as of July 1, 2023.
As a consequence, the risk of regulatory enforcement of the CCPA remains at this time.
What is the Main Take Away for Businesses?
On the one hand, businesses now have an additional year to address substantive compliance with the CCPA regulations. This is, in a sense, a last minute and largely welcomed reprieve to the business community, many of whom were left to scramble over the last three months to address changes in the adopted March 2023 final regulations.
On the other hand, the CCPA statutory terms remain enforceable during this time, and the regulations were to operate as technical clarifications to the Act’s substantive requirements. Thus, businesses should continue to monitor AG and CPPA enforcement activity, and to work and act substantively in compliance with the requirements of the Act. It is expected that the Agency will also productively utilize this time to focus on public awareness and voluntary compliance, and in continuing to build out its relatively well-resourced team of enforcement staff.
Businesses that have made strides in CCPA compliance programs should not deprioritize those efforts. Rather, the stay should serve as an opportunity for additional trainings, testing of and improvement to existing compliance processes, among other things.
This is especially so given there are now close to twelve (12) enacted state privacy laws, including at least one other enforceable law (Virginia) and two others with July 1, 2023 effective dates (Connecticut and Colorado). The CCPA regulatory stay should not be viewed as a reason to deprioritize privacy, but as an opportunity to continue on the path towards the build out of a comprehensive privacy program, with a little more breathing room now.
Clark Hill’s Cybersecurity, Data Protection, and Privacy attorneys advise clients on emerging challenges related to today’s digital economy. View and sign up for our monthly “Right to Know” newsletter, a rundown of all things cyber, privacy, and technology. For further information, please reach out to the authors or another member of our team.
The views and opinions expressed in the article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.
WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.
Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.
Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies
This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.
WEBINAR: Cybersecurity Resilience in Law Firms
This webinar focuses on law firms seeking useful information about robust cybersecurity strategies to protect their clients, maintain ethical and legal compliance, and fortify their digital infrastructure.