Impact of the Last Minute CCPA-Enforcement Delay

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

A California court recently issued a ruling delaying the CPPA’s ability to enforce the most recent CCPA regulations until March 29, 2024. This does not delay enforcement of the CCPA statute or existing regulations.

What happened?

The CPRA -which went into effect January 1, 2023- modified California’s existing privacy law: CCPA. The CPRA amendment required the California regulatory authority (the CPPA) to adopt final regulations on a set of issues by July 1, 2022. (Other issues had a longer time frame.) The regulations due on July 1 were not adopted on time: they were only adopted March 29, 2023. Concerned about the lack of time to understand and implement the requirements in the regulations, the California Chamber of Commerce recently sought an injunction banning the enforcement of those regulations. They argued that enforcement should not begin until 12 months after the adoption of the regulations. The court agreed, noting that under the statute as amended, the date set for enforcement was drafted using non-mandatory language (“shall not commence until July 1, 2023” (emphasis added)). Meaning that it did not have to begin on that date. But the date by which regulations were to be adopted was mandatory (“the timeline for adopting final regulations . . . shall be July 1, 2022” (emphasis added)). Read together, the court found, the intent was that the regulations were to be enforced 12 months after their adoption. In other words, CPRA essentially called for a 12 month grace period between the date of the regulations and the date of enforcement. As such, the court held, the enforcement date of the regulation should be pushed back one year from when the regulations were issued to March 29, 2024.

What does this mean?

The CPRA amendment to CCPA became effective January 1, 2023. For now, even though the new requirements are in effect, the CPPA cannot under this order bring enforcements except for violations of the prior regulations or the statute. The ruling does not impact the substance of the CPRA amendments to the CCPA. As a reminder, the regulations that have been adopted do not cover all of the CCPA (as amended)’s requirements. Looking forward, the CPPA still needs to adopt regulations for automatic decision making, risk assessments and cybersecurity audits. It will be holding an open hearing to discuss these and other issues on July 14.

Putting it into practice. Companies can use this additional time to evaluate their CPRA regulation compliance efforts and build a sustainable privacy program agile to adapt to the flurry of other state laws that have been passed.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Sheppard Mullin Richter & Hampton LLP

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide