California Court Delays Enforcement of CPRA Regulations Until 2024

The Superior Court of California for the County of Sacramento has delayed enforcement of the first set of the implementing regulations for the California Privacy Rights Act of 2020 (“CPRA”) until March 29, 2024, one year after such regulations became effective. The court issued its order on Friday, June 30, 2023—one day before enforcement of the CPRA regulations was originally scheduled to begin.

The CPRA statute took effect on January 1, 2023. As enacted, the CPRA called for the California Privacy Protection Agency (the “Agency”) to adopt final implementing CPRA regulations by July 1, 2022, with enforcement of such regulations commencing a year later on July 1, 2023. However, the Agency was unable to meet the July 1, 2022 deadline, eventually finalizing the first set of CPRA regulations on February 3, 2023 (as discussed in our prior alert). Thereafter, the California Office of Administrative Law approved these regulations and filed them with the Secretary of State, with such regulations taking effect on March 29, 2023.

If enforcement had begun as scheduled, businesses subject to the CPRA would have had to ensure compliance with these CPRA regulations by July 1, 2023, meaning they only would have had about three months from when the regulations took effect instead of getting the benefit of the one-year grace period provided in the statute. This posed challenges for subject businesses, and the California Chamber of Commerce filed a lawsuit seeking to delay enforcement of these CPRA regulations until one year after they became effective, maintaining the statutorily-provided grace period. Ultimately, the court agreed with the Chamber of Commerce. Note, however, that this reprieve only applies to the CPRA regulations that took effect on March 29, 2023. The CPRA statutory provisions and prior regulations issued under the California Consumer Privacy Act prior to it being amended by the CPRA are still subject to enforcement.

Additionally, the CPRA regulations issued to date do not include provisions related to data protection assessments, cybersecurity audits, or automated decision-making, as called for by the CPRA statute. The Agency has not yet finalized regulations regarding these remaining areas and has recognized that it will not finalize such regulations until well after July 1, 2023. As a result, the Agency has publicly stated it will not be enforcing the CPRA in these areas until the Agency has finalized the applicable regulations. The court declined to mandate any specific date by which the Agency must finalize these regulations.

If you need assistance with your compliance efforts or want more information on the regulations or the CPRA, please contact one of our Cybersecurity & Data Privacy attorneys.