A California court order has delayed enforcement of the implementing regulations for the California Privacy Rights Act of 2020 (CPRA) until March 29, 2024. The California Superior Court of Sacramento County issued the court order on Friday, June 30 — one day before enforcement of the CPRA regulations was originally scheduled to begin.
The California Consumer Privacy Act of 2018 (CCPA) established consumer data privacy rights for California residents. Two years later, the CPRA was passed by ballot initiative, amending the CCPA by establishing new requirements for the processing of consumer personal information and creating the California Privacy Protection Agency to implement and enforce the law. The CPRA called for the agency to adopt final implementing regulations by July 1, 2022, with enforcement commencing a year later on July 1, 2023.
Unable to meet the July 1, 2022 deadline, the agency ended up finalizing the first set of CPRA regulations on March 29, 2023. If held to the original enforcement timeline, businesses subject to the CPRA would have had to ensure compliance with the regulations within three months of such regulations being finalized instead of one year. Concerned by this short timeline, the California Chamber of Commerce filed a lawsuit seeking to delay enforcement of the CPRA regulations until one year following the agency’s adoption of the regulations.
Ruling and takeaways
On June 30, 2023, the Sacramento County Superior Court granted the Chamber of Commerce’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024 – one year after the agency issued the final regulations. We’ve outlined the main takeaways of the court’s ruling below.
Businesses have one year from adoption of specific regulations to comply with those regulations
The agency is precluded from enforcing any CPRA regulations until 12 months after the date the individual regulation is implemented. The March 29, 2024 deadline therefore applies to the regulations adopted on March 29, 2023. Any future regulations promulgated by the agency will be enforced a year after the agency finalizes those specific rules. For example, the final regulations currently only cover 12 of the 15 areas contemplated by the CPRA — the agency has yet to issue regulations for cybersecurity audits, risk assessments and automated decision-making technology. Per the court’s ruling, enforcement for regulations for those remaining areas would not begin until a year after the agency finalizes those rules.
CCPA regulations remain in full effect
The court’s ruling specifically notes that “regulations previously passed pursuant to the CCPA will remain in full force and effect until superseding regulations passed by the Agency become enforceable in accordance with the Court’s Order.” The agency may still enforce the CPRA statute and the CCPA regulations from 2020 — the court order only delays enforcement of the March 29, 2023 CPRA regulations.