Background

The day before the California Privacy Rights Act (CPRA) became enforceable on July 1, we learned that enforcement of the first set of implementing regulations finalized by the California Privacy Protection Agency (CPPA) under the CPRA (Regulations) is delayed until March 29, 2024. Prior to the June 30 ruling by a California Superior Court judge (the Ruling), the Regulations were set to become immediately effective on the CPRA’s July 1 effective date.

Staying the Course

While the Ruling provides businesses with several more months to comply with the highly prescriptive Regulations, businesses should refrain from seeing this as an opportunity to abandon privacy compliance efforts—even those that are based on the Regulations. It appears clear that the Ruling applies only to the Regulations themselves and not to the statutory text nor to prior regulations issued by the California Attorney General, both of which are currently enforceable. The Regulations are helpful in signaling the CPPA’s intent with respect to enforcement of the statute, and thus, the Regulations and statute are best interpreted in tandem.

Beyond March 2024

The Ruling confirmed that a period of delay would also apply to future CPPA regulations. Because the Regulations only address 12 of the 15 areas for which the CCPA is to promulgate regulations, new regulations are to come covering the three additional areas—cybersecurity audits, risk assessments, and automated decision-making. Under the reasoning of the Ruling, any such new regulations will not be directly enforceable until 12 months after the full rulemaking process is completed and the regulations are implemented.

The CPPA meets next on July 14, 2023, and our team of privacy lawyers will continue to keep clients updated on new developments.

© 2023 Perkins Coie LLP