Mad Dash to Comply with California’s New Privacy Regulations Averted as Court Stays Enforcement Until 2024
A California court has stayed enforcement of regulations implementing the California Privacy Rights Act (CPRA). Businesses now have 12 months from the date regulations are finalized to meet the new requirements, with the first deadline extended to March 29, 2024.
The CPRA, which amended and clarified provisions of the California Consumer Privacy Act, requires certain implementing regulations and sets out deadlines both for their final adoption and administrative enforcement. The deadline for administrative enforcement, July 1, 2023, was 12 months later than the deadline for final adoption. The California Privacy Protection Agency assumed responsibility for promulgating the required regulations but missed the deadline for final adoption. Of the 15 required regulations, the agency finalized adoption of 12 on March 29, 2023. The remaining three — relating to cybersecurity audits, risk assessments and automated decision-making technology — have yet to be finalized.
Prior to the decision, the agency's delay in finalizing the required regulations left impacted businesses with a three-month window to comply with the original 12 by July 1 and an uncertain window for complying with the three yet to be issued. In light of the impossibly short compliance window, the California Chamber of Commerce sued the agency and petitioned a court in Sacramento to review the CPRA and declare the intent behind the administrative enforcement deadline. On June 30, one day before the statutory enforcement deadline, the court stayed the deadline, ruling largely in favor of the Chamber of Commerce.
In its ruling, the court declared the deadlines in the CPRA not to be firm dates, per se, but to announce the statute's intent that administrative enforcement begin 12 months after adoption of final regulations. Thus, the regulations finalized in March of this year may be enforced no earlier than March 29, 2024. Similarly, the three yet-to-be-issued regulations will be enforceable 12 months following their finalization.
As a result of the ruling, companies who have been rushing to meet the July 1, 2023, enforcement deadline have room to breathe until March 29, 2024, unless this ruling is overturned on appeal. Rather than cobbling together compliance in three months due to agency delay, they will have the benefit of the full 12-month period provided in the CPRA.
For more information about the CPRA, the CCPA, and privacy and cybersecurity compliance, please contact Chris Couch, Walt Green or any member of the Phelps’ Cybersecurity, Privacy and Data Protection team.