The Superior Court of California delayed enforcement of California Privacy Rights Act of 2020 (CPRA) regulations on June 30, 2023, providing much sought-after reprieve for covered entities scrambling to get into compliance with the newly pseudo-finalized CPRA regulations.
After California voters approved Proposition 24 in November 2020, CPRA established new standards regarding the collection, retention, and use of consumer data and created the California Privacy Protection Agency (Agency) to implement and enforce the law. CPRA also imposed new obligations governing personal information, including requirements that businesses adopt certain mechanisms permitting consumers to opt out of data sharing. CPRA required the Agency to adopt final regulations for the amended statute by July 1, 2022, and further prohibited civil or administrative enforcement of the statute’s amendments (including as amended by the final regulations) until July 1, 2023.
The Agency released its first proposed regulations July 2, 2022, modified these regulations in November 2022, and the final modified set of regulations under CPRA were not approved until March 29, 2023. This set of regulations only covered twelve of the fifteen areas contemplated by CPRA. The Agency concedes it has not yet finalized regulations regarding the three remaining areas — cybersecurity audits, risk assessments, and automated decision-making technology — and that these areas contemplated by the regulations will not be finalized until sometime after July 1, 2023. While the Agency has publicly stated it will not be enforcing the law in the three non-finalized areas, it did intend to enforce the law in the other twelve areas as soon as July 1, 2023.
However, in the final hours before enforcement, the Superior Court of California, if upheld, delayed enforcement of those regulations that became final on March 29, 2023, to March 29, 2024, noting that the voters' intent was not to give effected businesses only three months to get into compliance and instead the plain language of the statute was intended to provide a one-year grace period.
The Court declined to mandate any specific date by which the Agency must finalize the remaining contemplated regulations; however, the ruling determined that any Agency regulation implemented will be stayed for a period of 12 months from the date that individual regulation becomes final. This ruling applies to the mandatory areas of regulation contemplated by Section 1798.185, subdivision (a). However, the Court clarified that the existing (pre-CPRA) California Consumer Privacy Act of 2018 (CCPA) regulations will remain in full force and effect until the superseding regulations finalized by the Agency become enforceable next March.