Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today.
July 2023 Trial Court Order Issued a One Year Stay of CPRA Enforcement
The first iteration of CPRA regulations were approved by the California Office of Administrative Law on March 29, 2023. But, when the Agency declared enforcement to begin on July 1, 2023, as originally planned, the California Chamber of Commerce (the “Chamber”) filed a petition arguing that, based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulation.
Last June, a trial court sided with the Chamber and ordered the Agency to stay enforcement of the new and amended regulations for one year; thereby taking effect March 29, 2024. The lower court’s decision also mandated a one-year stay of enforcement to proposed regulations in development. Although enforcement of the Agency’s regulations were delayed, the text of the California Consumer Privacy Act (CCPA) as well as regulations enacted prior to March 29, 2023, remained in effect as enforceable. The enforcement stay solely barred the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.
CA Appellate Court Holds CPRA Regulations Enforceable TODAY
The Third District Court of Appeal held that although the Agency failed to comply with a clear requirement to adopt final CPRA regulations on or before July 1, 2022, the text of the law does not require a one-year stay between approval of the regulation and its enforcement. The Court explained:
“In any event, because there is no ‘explicit and forceful language’ mandating that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise.”
As a result of the appellate decision, the Agency is entitled to begin immediately enforcing its regulations surrounding CPRA. Additionally, future CPRA implementing regulations are no longer subject to a stay of enforcement.
What This Court Decision Means for Businesses
The CPRA is not just a law for businesses headquartered in California. Instead, under the CPRA, any entity that does business in the state of California qualifies as a regulated business if it (1) buys, sells, or shares the personal information of 100,000 or more consumers; (2) derives 50% or more of its revenue from selling or sharing consumer personal information; or (3) has annual gross revenue exceeding $25 million in the preceding calendar year. Therefore, this decision impacts businesses located both inside and outside of California.
The immediate enforceability also means that qualifying businesses need to remain vigilant in watching developments coming from the Agency and forecasts of upcoming regulations. Enforcement of future regulations (such as risk assessments, security audits, privacy impact assessments, and automated decision making technology) may be enforced upon finalization. This will give businesses, potentially, a very small window of opportunity to prepare and adapt.
Taft will continue to monitor developments regarding compliance under the CPRA. As the legal landscape continues to evolve, Taft’s Privacy and Data Security Practice Group is ready to assist. For more information on data privacy and security regulations, and other data privacy questions, please visit Taft’s Privacy and Data Security Insights Blog, and the Taft Privacy and Data Security mobile application.