Locke Lord QuickStudy: The CPRA: A Missed Deadline Gives ‎Companies a Break ‎

The California Privacy Rights Act of 2020 (“CPRA”), which voters approved in November 2020, expanded consumers’ protections under the California Consumer Privacy Act of 2018 (“CCPA”). While the CPRA introduced new consumer rights, and limited the ability of businesses to collect, use and share personal information, the CPRA added new rights for consumers, and new obligations and challenges for businesses. The CPRA also assigned the responsibility of enforcing this law to a newly created agency, the California Privacy Protection Agency (“Agency”). Importantly, Cal. Civ. Code 1798.185 required the Agency to adopt final regulations relating to these new obligations by July 1, 2022, and did not permit enforcement of the law until July 1, 2023.

The Agency missed its deadline though. In particular, the regulations relating to 12 of the 15 areas specified by Cal. Civ. Code 1798.185 were not finalized until March 29, 2023. Further, the Agency has not proposed (let alone finalized) regulations to address the remaining three areas, which are to specify requirements for cybersecurity audits, risk assessments, and automated decisionmaking technology.

As a result, the day after the first set of regulations was finalized, on March 29, 2023, the California Chamber of Commerce (“Chamber”) filed a Verified Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the Agency in the Superior Court for the County of Sacramento. The Chamber argued that the Agency’s failure to finalize all of the required regulations by July 1, 2022 wrongfully deprived companies of the one-year period to develop, update, and implement the systems necessary to comply with the new regulation. Thus, the Chamber asked the court to prevent the Agency from enforcing the CPRA until one year after all of the regulations are finalized.

The Agency responded that the CPRA did not actually require that the regulations be finalized by a specific date, despite the language in the law. In addition, the Agency claimed that California voters did not expressly intend that the CPRA give impacted businesses a 12-month grace period between adoption of the regulations and their enforcement.

On June 29, 2023, the court issued a ruling that granted the Chamber’s petition. The ruling enjoins the Agency from enforcing regulations until one year after they are finalized. Therefore, the regulations finalized on March 29, 2023 cannot be enforced until March 29, 2024. Given the need for the regulations in order to define obligations under the CPRA, it is difficult to imagine that the statutory provisions related to these required regulations could be enforced. Therefore, the injunction appears to give businesses another nine months to be in compliance with the new CPRA obligations that are subjects of the 12 new regulations. Further, enforcement of the requirements for cybersecurity audits, risk assessments, and automated decisionmaking technology are delayed until 12 months after the related regulations are finalized.