On June 30, 2023—the day before the regulations were scheduled to go into effect—the Superior Court of California halted the enforcement of the California regulations that had been finalized on March 29, 2023 until March 29, 2024. (California Chamber of Commerce v. California Privacy Protection Agency, No. 34-2023-80004106-CU-WM-GDS (Cal. Super. June 30, 2023) (minute order).)
Our readers may recall that California voters approved a ballot initiative to amend the California Consumer Privacy Act. Those amendments, known as the California Privacy Rights Act (CPRA), included a requirement for regulations in 15 named areas. The CPRA included the statement that the “timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022.” The CPRA also stated that “Notwithstanding any other law, civil, and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.”
The California Privacy Protection Agency’s regulations were delayed, and the regulations that were finally approved on March 29, 2023 addressed 12 of the 15 topics in CPRA. Nevertheless, the agency took the position that enforcement of the approved regulations would commence as of July 1, 2023.
The plaintiff sought an order (a “writ of mandate”) to cause the agency to refrain from enforcement of the regulations for one year after they were final, consistent with the timing requirements in CPRA. The court agreed: “The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” Consequently, the court ruled that the agency “may begin enforcing those regulations that became final on March 29, 2023 on March 29, 2024.”
In addition, with respect to the three areas that the March regulations did not address from CPRA—cybersecurity audits, risk assessments, and automated decisionmaking technology—the court ruled that the one-year period also applied. If, for example, the agency issued regulations on automated decisionmaking technology on October 1, 2023, “the Agency will be prohibited from enforcing a violation of said regulation until October 1, 2024.”
The court was careful to note that the agency may enforce CPRA’s finalized regulations when the one-year period is up, regardless of whether other regulations were still pending.
This ruling will be welcomed by everyone subject to CPRA that was working to become compliant by the July 1 deadline. In addition, the ruling provides companies some certainty with respect to future privacy regulations in California.