Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations
A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe for enforcement without any further delay. Moreover, additional regulations expected to be finalized over the next year will be enforceable with no waiting period.
On February 9, 2024, the Third Appellate District of the California Court of Appeal reinstated the California Privacy Protection Agency’s (CPPA) authority to enforce the CCPA regulations. The court’s ruling in California Privacy Protection Agency v. The Superior Court of Sacramento County (case number C099130) overturned the lower court’s June 2023 decision to temporarily strip the CPPA of its enforcement capabilities, thereby enabling the CPPA to immediately resume enforcement activities and, further, impacting future CPPA rulemaking and enforcement practices.
The June 2023 Superior Court Decision
The CPRA, approved by voters in November 2020, required the CPPA to adopt final regulations by July 1, 2022, in certain delineated subject matter areas, with enforcement authority to begin one year later on July 1, 2023. However, the CPPA ultimately failed to meet the initial 2022 deadline, finalizing some, but not all of the regulations in the delineated areas no earlier than March 29, 2023. The regulations adopted addressed areas such as privacy notice requirements and the handling of browser signals for opt-out requests.
On March 30, 2023, the California Chamber of Commerce filed suit against the CPPA, challenging the CPPA’s timeline for enforcing its newly finalized regulations and arguing that the agency had missed statutory deadlines, which, in their view, should delay the enforcement start date a full year after their promulgation—to March 29, 2024. The lower court agreed and temporarily stripped the CPPA of its enforcement capabilities.
The February 2024 Appellate Court Decision
On February 9, 2024, the appellate court overturned that decision. The court found no explicit mandate in the law that would necessitate delaying enforcement until a year after the finalization of the regulations, as the Chamber had contended. Indeed, the court found that the CCPA “does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap.” Thus, the California Chamber of Commerce “did not have ‘a clear, present and beneficial right’ to the delay in enforcement that it sought (and obtained).” Consequently, the CPPA was allowed to resume enforcing the regulations finalized last March without delay.
The litigation appears to be far from over—on February 20, 2024, the California Chamber of Commerce petitioned the California Supreme Court for review of the appellate court’s decision. This petition, however, does not halt enforcement.
Ongoing Disputes Regarding Swifter Rulemaking
Beyond the enforcement timeline dispute, questions remain regarding the California Chamber of Commerce’s request for swifter rulemaking regarding the remaining three subject matter areas (cybersecurity audits, risk assessments and automated decision-making technology). The appellate court directed the lower court to address any “issue concerning the propriety of compelling more prompt development of regulations.” While a decision on this issue may be delayed given the California Chamber of Commerce’s appeal, further disputes on this topic are upcoming and could affect future rulemaking.
Effect on Future CPPA Enforcement
The appellate court’s ruling not only reinstates the CPPA’s authority to enforce, but also provides for immediate enforcement of future regulations upon their finalization, arguably reflecting voter expectations under Proposition 24, aiming for a more immediate and impactful enforcement of privacy protections.
Indeed, this ruling clarifies that when the CPPA adopts final regulations concerning the final required subject matter areas of cybersecurity audits, risk assessments, and automated decision-making technology, the CPPA will be able to take immediate enforcement action. There is still time before final rulemaking concludes, however, as during its most recent board meeting on March 8, 2024, the CPPA indicated its plans to start formal rulemaking with respect to outstanding topics in July 2024, with completion expected in 2025. New drafts of the risk assessment and automated decision-making technology regulations were also circulated during this meeting.
Implications for Businesses
The decision reinforces the importance of proactive compliance in an era where privacy and consumer data protection are increasingly in the foreground of the legal and public discourse. As businesses operating within California’s jurisdiction now face the immediate applicability of future CPPA regulations, the ruling serves as a prompt for companies to review and, if necessary, adjust their privacy practices accordingly.
In discussing the timeline for future regulations, the CPPA has made clear that it expects compliance without delay, and while it is willing to signal the focus of future enforcement through advisories, the fact that companies have had five years with the underlying law means they should be in a position to easily react to any specifics of new regulations. With that in mind, it is imperative that companies take the necessary steps to ensure their privacy practices and policies comply with the regulations currently in force, and monitor the CPPA’s upcoming draft regulations to confirm compliance upon their finalization.
Reprinted with permission from the April 10, 2024 issue of The Recorder © 2024 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.