On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.
Historical Context – Superior Court Halted Enforcement Temporarily
After the passage of the CCPA, but before the CCPA came into effect, an advocacy group called Californians for Consumer Privacy began a second ballot initiative called the California Privacy Rights Act (“CPRA”), which was approved in November 2020. The CPRA, which amended and expanded upon the CCPA, created the Agency and required the Agency to adopt final regulations by July 1, 2022 addressing a number of substantive areas, with enforcement to begin one year later on July 1, 2023. The Agency, however, failed to meet a July 1, 2022 deadline, taking until March 29, 2023 to adopt the regulations. Even then, several substantive areas remained unaddressed.
As a result of this delay in finalizing the regulations, the California Chamber of Commerce sued the Agency, seeking a delay in enforcement for one year from the date that the Agency adopts all required regulations. In June 2023, the California Superior Court in Sacramento County delayed the Agency’s enforcement of its March regulations for 12 months, on the basis that a year-long delay in enforcement was intended to provide regulated businesses with time to comply. The ruling also applied to future, required regulations issued by the Agency, with the 12-month stay of enforcement commencing from the date those future regulations were finalized. The Superior Court held that “the plain language of the statute indicates the [Agency] was required to have final regulations in place by July 1, 2022” and “the [Agency] should be prohibited from enforcing the Act on July 1, 2023 when it failed to pass final regulations by the July 1, 2022 deadline.”
The Agency appealed. While challenging the ruling, the Agency also claimed that it retained the authority to enforce the underlying statutory terms of the CCPA/CPRA, even if its regulations were not enforceable. The Agency has, accordingly, conducted investigations, but has yet to issue any CCPA/CPRA fines or other penalties. Additionally, as discussed below, the California Attorney General has pressed forward under its own statutory enforcement authority, sending out investigatory letters and entering into a $1.2 million settlement with Sephora regarding allegations that the retailer failed to honor requests to opt out, including the failure to honor browser-enabled opt-out preference signals like Global Privacy Control.
Court of Appeal Restores Authority to Enforce Regulations
In its opinion filed on February 9, 2024, California’s Third District Court of Appeal reversed the Superior Court’s ruling that delayed enforcement until March 29, 2024. Although the California Chamber of Commerce claimed that “[s]uch tolling [was] necessary to conform to the statutory requirement and voters’ intent that businesses receive a one-year grace period to update their systems and processes to comply with the new legal requirement,” the Court of Appeal concluded that the CCPA/CPRA “does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap.”
The Court of Appeal notes that in deciding whether to pursue an investigation, the Agency must consider “all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Impact of This Ruling
This ruling should create a sense of urgency for businesses who were relying on a longer runway to comply with CCPA regulations, as the Agency is no longer subject to the one-year stay of enforcement the Superior Court had previously ordered. While impacting the Agency’s March 2023 regulations, businesses should also be mindful of its impact on new rules the Agency is currently considering. Those rules cover wholly new topics, otherwise unaddressed by the statute, like automated decision-making, privacy impact assessments and cybersecurity audits. Among other things, they would require many businesses to conduct new, independent audits of their cybersecurity programs and impose broad rules around the use of technologies that could affect the development of artificial intelligence-based systems. Accordingly, businesses that have not implemented steps to comply should move swiftly to update compliance programs.