Shortly before the July Fourth holiday, the California Superior Court issued an important, but subtly complex ruling that pushes back the date when the California Privacy Protection Agency (CPPA) may begin enforcing the latest round of privacy regulations. These regulations were finalized in March 2023 and enforce provisions of the California Privacy Rights Act (CPRA), which amended the CCPA. Because of the hybrid manner in which the Court pushed back enforcement of some, though not all, CPRA-related obligations, the degree to which businesses will benefit from delayed enforcement is not at all clear.
The CPRA was passed via ballot initiative in November 2020, and amended the CCPA in significant ways. One of the provisions of the CPRA amendments enabled the creation of the CPPA, which is authorized to enforce the provisions of the CCPA beginning on July 1, 2023. The CPRA, however, required that the CPPA issue regulations enforcing the new amendments no later than July 1, 2022. The CPPA was unable to meet this deadline and issued final regulation for 12 of the 15 substantive areas of law covered by the CPRA on March 29, 2023 – nine (9) months after the deadline.
This delay led to an immediate lawsuit, which was filed by the Chamber of Commerce. The lawsuit sought an injunction to prevent the CPPA from enforcing the March 2023 amendments. The main argument advanced by the Chamber of Commerce is that the CPRA implicitly if not explicitly contemplates a 12-month period of time for companies to prepare for enforcement of the law. Because the regulations were not finalized until March 2023, the Chamber argued that the CPPA could not enforce the law until March 2024, at the earliest.
In an apparent victory for regulated entities, the Court agreed with the Chamber and held that the CPPA cannot begin enforcement of the March 2023 regulations until March 2024 – 12 months after the regulations were finalized. Future amendments to the CCPA regulations may not be enforced until 12 months after such regulations are finalized.
The Good, The Bad and the Complicated
The good news for many U.S. businesses is that, in theory, they will have an additional nine (9) months to prepare for enforcement of regulations finalized in March 2023. The bad news is that enforcement of the CPRA itself, as well as those regulations that predated passage of the CPRA, are not affected by the ruling. The CPPA may commence enforcement of these provisions as of July 1, 2023. And indeed, the CPPA has already publicly taken this position.
All of this raises the complicated question of which obligations imposed by the CPRA are subject to the 9-month enforcement delay and which are not. For example, Section 1798.135(a) of the CPRA includes a requirement that businesses provide a “Do Not Sell/Share” link on the homepage of the website. This provision is arguably outside the scope of the recent California Superior Court ruling and may be enforced by the CPPA. But Sections 7010 and 7026 of the March 2023 regulations provides significant detail concerning the operational requirements for implementing the link, and these requirements would not be enforceable until March 2024. In other words, the extent to which the CPPA must delay enforcement of violations of the obligation to provide a Do Not Sell/Share link turn on the specific violations alleged, making it difficult for business to assess when enforcement will commence. Similarly, in the August 2022 Sephora consent decree, the California Attorney General’s position that businesses subject to the CCPA need to recognize the Global Privacy Control (GPC) opt out signal. But the operational requirements for recognizing GPC were set forth by March 2023 regulations (§7025).
Other notable provisions of the CPRA that the March 2023 regulations clarified include: the prohibition on dark patterns (§7004), obligations to notify service providers and third parties of deletion requests (§7022), operational requirements for honoring right to correction requests (§7023), the January 1, 2022 front-end date for right to know requests (§7024), operational requirements for honoring request to limit use of sensitive personal information (§7027), revised contractual requirements for service provider agreements (§§7050, 51), and third party contracts (§7052), among others. Again, it is not clear the degree to which these new obligations are subject to March 2024 enforcement because many obligations stem, in full or part, from the CCPA or CPRA itself.
For many U.S. businesses these complexities may be moot because these companies were already striving to be fully compliant by July 1, 2023, if not earlier. But for other companies that have yet to fully comply with the CPRA, it is unclear how much of a reprieve the California Superior Court ruling really provides. Much will depend on whether the CPPA appeals the ruling, and prevails on appeal. The CPPA has scheduled a public meeting the week of July 14, 2023 and will provide an update on enforcement.
Even if the CPPA does not appeal the Court ruling, compliance will turn on the particularities of CPPA enforcement, in particular the degree to which the CPPA ties enforcement to a CPRA regulation or statutory obligation. Businesses subject to the CCPA need to carefully monitor the CPPA’s position on this issue, both via enforcement activities as well as public statements.