On February 9, 2024, California’s Third District Court of Appeals reinstated the California Privacy Protection Agency’s (“CPPA”) ability to enforce the California Privacy Rights Act of 2020 (“CPRA”) regulations. The CPRA regulations aim to enhance consumer privacy rights and protections in an ever-increasing digital age.
The court of appeal’s decision comes after the California Chamber of Commerce filed a lawsuit in 2023 challenging the CPPA’s authority to enforce the CPRA regulations, citing government overreach, conflicts with existing law, and the imposition of unnecessary burdens upon businesses, and which resulted in the trial court imposing a 12-month delay on enforcement. Holding that the trial court erred in imposing the one-year delay, the court of appeals reaffirmed the CPPA’s role in overseeing compliance with the state’s privacy laws, noting that no “explicit and forceful” language exists that mandates the CPPA must wait one year from the date the final regulations were approved to begin enforcement. It remains to be seen whether the California Chamber of Commerce will seek a rehearing or review.
This development is significant for both consumers and businesses. Consumers will continue to have significant rights (with the backing of the CPPA) related to their personal information. For businesses operating and doing business in California, the potential stay on enforcement activities by the CPPA that was once a possibility is no longer a reality; the February 9th decision serves as an important reminder to covered businesses to ensure their privacy practices comply with the CPRA regulations.
As consumer privacy rights continue to expand in an ever-increasing digital environment and data privacy remains an important issue, it is essential for covered business to stay informed and adhere to the CPRA regulations.