On Friday, February 9, as the country collectively packed up and prepared to head home for Super Bowl weekend, the Third Appellate District of the California Appellate Court issued an Order granting the California Privacy Protection Agency (the Agency) the ability to immediately enforce regulations implementing the California Privacy Rights Act (CPRA), which were finalized in March 2023. This vacated a July 2023 court decision staying enforcement of the regulations until March 29, 2024.

In a public statement also released on February 9, the Agency’s Deputy Director of Enforcement Michael Macko stated that the “enforcement team stands ready to take it from here,” and it is expected that enforcement of the regulations will begin promptly. Additionally, the Order paves the way for enforcement after finalization of the proposed regulations governing cybersecurity audits, risk assessments, and automated decisionmaking technology.

A Brief Recap: How Did We Get Here?

When the CPRA was passed by ballot initiative in 2020, it established the Agency and “vested it with the authority to administer, implement, and enforce the CCPA.”[1] The CPRA became effective on January 1, 2023, required the Agency to adopt final regulations by July 1, 2022, and provided that the “Agency’s enforcement authority would take effect on July 1, 2023.”[2] The Agency failed to adopt any regulations until March 29, 2023—nine months after its statutory deadline—but as we noted last year, the Agency declared the regulations immediately effective.

The very next day, the California Chamber of Commerce (CalChamber) filed a petition with the Superior Court of Sacramento County (the Trial Court) requesting a stay of enforcement of the regulations until March 29, 2024—one year after the regulations were finalized (as contemplated in the CPRA). In June of 2023, the Trial Court agreed with CalChamber and issued an order holding that the Agency could not begin enforcing any required regulations until one year after the regulations were finalized. In August of 2023, the Agency appealed the Trial Court’s decision, and on February 16, 2024, the Appellate Court issued its holding vacating the Trial Court’s decision.

The Appellate Court’s Reasoning

In assessing the Trial Court’s decision, the Appellate Court focused largely on the text of the CPRA statute as well as California voters’ intent in passing the ballot proposition, resting its holding on three main conclusions, each described below.

• First, the Appellate Court held that the text of the CPRA statute does not require a one-year period between when regulations are finalized and when the Agency can begin enforcement. Specifically, the Appellate Court noted that “[a]lthough the specific statutory provision at issue here includes what amounts to a one-year delay…there is no clear, unequivocal language mandating a one-year delay between approval and enforcement.”[3] Indeed, the Appellate Court reasoned that the Trial Court’s decision to “substitute an enforcement schedule (i.e., a one-year gap regardless of the enforcement date)”[4] had the effect of violating the unambiguous text of the CPRA setting forth a July 1, 2023, date with a schedule that was “not set forth in the [CPRA].”[5] Ultimately, the Appellate Court disagreed with CalChamber and the Trial Court, holding that the “statute does not unambiguously require a one-year gap between approval and enforcement.”[6]
• Second, the Appellate Court analyzed the voters’ intent in approving the CPRA and concluded that nothing indicated that voters wished for a delay in enforcement. CalChamber argued that voters intended for at least “a one-year delay between the adoption and the enforcement of those regulations (the period of time between the July 1, 2022, deadline for the adoption of final regulations and the July 1, 2023, effective date for enforcement authority),”[7] and the Trial Court largely agreed, holding that “the Agency could begin enforcing any required regulation one year after it became final.”[8] However, the Appellate Court analyzed the Voter Guide materials distributed to California voters when considering whether to vote for passing the CPRA and determined that the Voter Guide “is silent as to the purpose of the one-year gap between the July 1, 2022, and July 1, 2023, dates.”[9] As such, the Appellate Court concluded that “nothing in the relevant material presented for our review signals that the voters intended such a gap [in enforcement].”[10]
• Finally, the Appellate Court decided there is no evidence that a one-year gap was intentionally set for any specific reason. Because of this, the Appellate Court further reasoned that nothing indicated that the “gap needed to remain at one year regardless of when the approval [of regulations] occurred.”[11]

Looking Ahead

The Appellate Court’s decision opens the door for immediate enforcement of the regulations package finalized on March 29, 2023. More importantly, the Appellate Court’s decision likely shortens the estimated timeline to enforcement of future proposed regulations. Currently, the Agency is in the process of drafting proposed regulations governing cybersecurity audits, risk assessments, and automated decisionmaking technology, as well as certain proposed revisions to the CCPA. 

At its December 8 meeting, the Agency approved a motion to enter the cybersecurity audit regulations into the formal rulemaking process, and it is anticipated that the Agency will release the draft of the cybersecurity audit regulations for a 45-day notice and comment period soon, perhaps at the next Agency meeting (expected to take place in early March). If, at the end of that period, the Agency concludes that the regulations are final, and they pass final review by the Office of Administrative Law, the Agency may declare the regulations to be immediately effective and enforceable as the Agency did with initial regulations last year.

Because the anticipated timeline for enforcement has been shortened by the Appellate Court’s decision, companies should pay close attention to the draft regulations and begin to think through compliance steps and areas for potential public comment.

Our Chambers-ranked Privacy & Security team will monitor upcoming developments and collaborate with our clients to ensure their concerns are heard as the CPPA moves forward with the rulemaking processes.

Endnotes

[1] Opinion at 7, CPPA v. Superior Court of Sacramento Cnty. (CalChamber), No. C099130 (Cal. Ct. App. Feb. 9, 2024).
[2] Id.
[3] Id. at 19.
[4] Id.
[5] Id.
[6] Id.
[7] Id. at 11.
[8] Id.
[9] Id. at 20.
[10] Id. at 19.
[11] Id. at 20.

© 2024 Perkins Coie LLP