Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.
As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.
By way of background, in 2020, California voters approved Proposition 24 a/k/a, the California Privacy Rights Act of 2020, which significantly amended the CCPA. Proposition 24 not only created the California Privacy Protection Agency but also charged the Agency with finalizing regulations on numerous topics no later than July 1, 2022. Given the circumstances, this was an impossible task.
Ultimately, the Agency filed the final rulemaking package with the Office of Administrative Law (OAL) on February 14, 2023, which the OAL approved on March 29, 2023. The Agency announced that it intended to enforce those rules starting July 1, 2023, which is the enforcement date set by the statute. The Agency’s rulemaking package only covered some of the topics for which rulemaking is required and the Agency has already started the process of promulgating rules on additional topics. Importantly, the regulations do not currently address cybersecurity audits, risk assessments, and automated decision-making technology.
On March 30, 2023, the California Chamber of Commerce filed a lawsuit against the Agency. The Chamber asked the Court to order the Agency to promulgate final regulations on all topics and to delay enforcement for one year after the Agency has completed that task.
The Agency asserted that the text of the legislation was ambiguous enough so as to not have explicitly required specific deadlines or grace periods. However, the Court agreed with the Chamber that the Agency was required to finalize regulations by July 1, 2022 and had not done so. The Court also agreed that the statute, as amended, was intended to provide businesses with one year from the time regulations were finalized until enforcement began to come into compliance. However, the Court disagreed with the Chamber that enforcement should be delayed until one year after the Agency finalized all regulations. Instead, the Court found that the Agency cannot enforce the new regulations until March 29, 2024, which is one year after the OAL approved the regulations on March 29, 2023. The Court further found that any new regulations promulgated by the Agency on remaining topics cannot be enforced by the Agency until one year after they are finalized.
Although the Court’s ruling will be welcomed by businesses driving compliance with the CCPA, it is unclear how much of an impact it will ultimately have on enforcement. As noted, the Court’s ruling only prohibits the Agency from enforcing new regulations—it does not prohibit the Agency from enforcing the statutory changes brought by Proposition 24. In that respect, businesses subject to the CCPA will need to parse the statute and the regulations to determine which obligations are statutorily required, and which are regulatorily required.
The Court declined to mandate a specific date by which the Agency must finalize regulations on remaining topics, and, although it was indicated these regulations are in process, the Agency has not indicated a timeline that provides when we can expect them.