Insights
Publications

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

April 10, 2024 Articles
The Recorder

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe for enforcement without any further delay. Moreover, additional regulations expected to be finalized over the next year will be enforceable with no waiting period.

On February 9, 2024, the Third Appellate District of the California Court of Appeal reinstated the California Privacy Protection Agency’s (CPPA) authority to enforce the CCPA regulations. The court’s ruling in California Privacy Protection Agency v. The Superior Court of Sacramento County (case number C099130) overturned the lower court’s June 2023 decision to temporarily strip the CPPA of its enforcement capabilities, thereby enabling the CPPA to immediately resume enforcement activities and, further, impacting future CPPA rulemaking and enforcement practices.

The June 2023 Superior Court Decision

The CPRA, approved by voters in November 2020, required the CPPA to adopt final regulations by July 1, 2022, in certain delineated subject matter areas, with enforcement authority to begin one year later on July 1, 2023. However, the CPPA ultimately failed to meet the initial 2022 deadline, finalizing some, but not all of the regulations in the delineated areas no earlier than March 29, 2023. The regulations adopted addressed areas such as privacy notice requirements and the handling of browser signals for opt-out requests.

On March 30, 2023, the California Chamber of Commerce filed suit against the CPPA, challenging the CPPA’s timeline for enforcing its newly finalized regulations and arguing that the agency had missed statutory deadlines, which, in their view, should delay the enforcement start date a full year after their promulgation—to March 29, 2024. The lower court agreed and temporarily stripped the CPPA of its enforcement capabilities.

The February 2024 Appellate Court Decision

On February 9, 2024, the appellate court overturned that decision. The court found no explicit mandate in the law that would necessitate delaying enforcement until a year after the finalization of the regulations, as the Chamber had contended. Indeed, the court found that the CCPA “does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap.” Thus, the California Chamber of Commerce “did not have ‘a clear, present and beneficial right’ to the delay in enforcement that it sought (and obtained).” Consequently, the CPPA was allowed to resume enforcing the regulations finalized last March without delay.

The litigation appears to be far from over—on February 20, 2024, the California Chamber of Commerce petitioned the California Supreme Court for review of the appellate court’s decision. This petition, however, does not halt enforcement.

Ongoing Disputes Regarding Swifter Rulemaking

Beyond the enforcement timeline dispute, questions remain regarding the California Chamber of Commerce’s request for swifter rulemaking regarding the remaining three subject matter areas (cybersecurity audits, risk assessments and automated decision-making technology). The appellate court directed the lower court to address any “issue concerning the propriety of compelling more prompt development of regulations.” While a decision on this issue may be delayed given the California Chamber of Commerce’s appeal, further disputes on this topic are upcoming and could affect future rulemaking.

Effect on Future CPPA Enforcement

The appellate court’s ruling not only reinstates the CPPA’s authority to enforce, but also provides for immediate enforcement of future regulations upon their finalization, arguably reflecting voter expectations under Proposition 24, aiming for a more immediate and impactful enforcement of privacy protections.

Indeed, this ruling clarifies that when the CPPA adopts final regulations concerning the final required subject matter areas of cybersecurity audits, risk assessments, and automated decision-making technology, the CPPA will be able to take immediate enforcement action. There is still time before final rulemaking concludes, however, as during its most recent board meeting on March 8, 2024, the CPPA indicated its plans to start formal rulemaking with respect to outstanding topics in July 2024, with completion expected in 2025. New drafts of the risk assessment and automated decision-making technology regulations were also circulated during this meeting.

Implications for Businesses

The decision reinforces the importance of proactive compliance in an era where privacy and consumer data protection are increasingly in the foreground of the legal and public discourse. As businesses operating within California’s jurisdiction now face the immediate applicability of future CPPA regulations, the ruling serves as a prompt for companies to review and, if necessary, adjust their privacy practices accordingly.

In discussing the timeline for future regulations, the CPPA has made clear that it expects compliance without delay, and while it is willing to signal the focus of future enforcement through advisories, the fact that companies have had five years with the underlying law means they should be in a position to easily react to any specifics of new regulations. With that in mind, it is imperative that companies take the necessary steps to ensure their privacy practices and policies comply with the regulations currently in force, and monitor the CPPA’s upcoming draft regulations to confirm compliance upon their finalization.

Reprinted with permission from the April 10, 2024 issue of The Recorder. © 2024 ALM Media Properfies, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights

Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Top 5 Privacy Cases To Watch, From Chatbots to Geolocation

Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits...

Read More
Publication

Is the Copyright Threat to Generative AI Overhyped? Implications of Kadrey v. Meta

In November 2023, Meta successfully had nearly all of the claims against it dismissed in the Kadrey v. Meta Platforms, Inc. suit, a victory with potential implications for other technology companies with generative AI tools...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More