Judge James Arguelles has sided with California businesses in holding that the California Privacy Protection Agency (CPPA) cannot start enforcement of regulations promulgated under the California Privacy Rights Act (CPRA) for a year from the enactment date of the regulations. Under the CPRA, many key operational issues were left to regulation to provide business with guidance as to implementation. But, the statute also provided that the CPPA was to have those regulations in place by July 1, 2022, with enforcement to commence July 1, 2023. Regulations were not enacted until the end of March, 2023 -- and some key regulations such as cybersecurity audits and automated decision-making are still not in place -- giving covered businesses a much shorter amount of time to implement operational changes for compliance. The latest ruling gives businesses subject to the regulations until March 2024 before enforcement can begin. The additional time will help with determinations on such technical issues as how to respond to browser signals that communicate consumer opt-out preferences.
If you have not completed (or started...) your main CPRA compliance program, you're not totally off the hook here. The latest ruling does not affect the CPPA's ability to enforce the provisions of the underlying CPRA or the regulations previously enacted under the California Consumer Privacy Act.
"The plain language of the statute indicates the agency was required to have final regulations in place by July 1, 2022," Judge Arguelles ruled. "The parties agree Subdivision (d) allows the agency to begin enforcement a year later on July 1, 2023. The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations."
"The court is not persuaded by the agency's argument that it may ignore one date while enforcing the other," the judge ruled.