On June 30, the Sacramento County Superior Court issued a ruling that will delay enforcement of regulations issued pursuant to the California Privacy Rights Act (CPRA) to March 29, 2024. These regulations were originally slated to enter into effect on July 1, 2023, meaning that covered entities will now have close to nine additional months to bring themselves into compliance with the regulations, which address topics including dark patterns, opt-out preference signals, notice, requests to correct and limit, third-party contracts, targeted advertising, and enforcement.
Even with this delay in the enforcement of the CPRA regulations, however, companies are still facing a growing number of state privacy law compliance obligations. For instance, the California court's ruling does not impact enforcement based on the statutory text of the CPRA (as opposed to the corresponding regulations), meaning that companies will still be liable for violations of CPRA statutory requirements that occur on or after July 1, 2023. July 1 was also the effective date for the Colorado Privacy Act (and its corresponding rules) and the Connecticut Data Privacy Act (including recent amendments to that law focused on consumer health data). Thus, while the California court's ruling on the CPRA regulations may grant companies a mild reprieve in the privacy compliance space, there is still much to be done to ensure that companies are fully satisfying their state privacy law obligations.
In this post, we summarize the key points in the Sacramento County Superior Court's ruling and identify relevant takeaways for companies seeking to understand how this ruling affects their California privacy law obligations. For more updates on state privacy law enforcement — both in California and elsewhere — be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
SUMMARY OF RULING
The Sacramento County Superior Court's ruling is the result of a petition filed by the California Chamber of Commerce against the California Privacy Protection Agency (CPPA). The Chamber's core argument proceeded in two parts: (1) that the text of the CPRA required the CPPA to issue its CPRA regulations by July 1, 2022; and (2) that the voters who approved the CPRA did not intend for enforcement of those regulations to begin until one year after they were finalized, in order to allow businesses sufficient time to bring themselves into compliance with the new requirements. Because the CPPA did not finalize its recent CPRA regulations until March 29, 2023 (almost nine months after the statutory deadline), the Chamber argued, the CPPA therefore cannot begin enforcing those regulations until March 29, 2024.
The court agreed with the Chamber's argument. It first held that the plain text of the CPRA required that the CPRA regulations be adopted by July 1, 2022. It then noted that the statute allows the CPPA to begin enforcement on July 1, 2023, and that the inclusion of this date "indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations." Accordingly, the court concluded by staying the CPPA's enforcement of any CPRA regulation implemented under California Civil Code Section 1798.185(d) "for 12 months after that individual regulation is implemented."
KEY TAKEAWAYS
1. Enforcement Delayed to March 29, 2024: The top-line takeaway from the Superior Court's ruling is that the CPPA will not be able to enforce its recently approved CPRA regulations until March 29, 2024. As we have previously written, these regulations layer numerous requirements on top of the already-in-effect California Consumer Privacy Act (CCPA) regulations, most notably in such areas as dark patterns, opt-out preference signals, notice, requests to correct and limit, third-party contracts, targeted advertising, and enforcement.
2. One-Year Grace Period Required for Future Regulations: The Superior Court's ruling will also apply to future CPRA regulations. Notably, the recently approved CPRA regulations did not address all of the regulatory topics enumerated in the CPRA statutory text, such as cybersecurity audits, risk assessments, and automated decision-making technologies. Indeed, those topics were the subject of an invitation for preliminary public comments that the CPPA issued in February 2023. In its ruling, the court held that the CPPA's enforcement of regulations in those areas would be stayed for 12 months after their implementation.
3. No Effect on Enforcement of CPRA Statutory Requirements: Importantly, the Superior Court's ruling only applies to the CPRA regulations, not the statutory text. Thus, businesses are still liable for any violations of CPRA statutory requirements that they commit on or after July 1, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.