In an unexpected turn of events, a California court postponed enforcement of the new California Consumer Privacy Act (CCPA) regulations until March 29, 2024. The court’s final decision came at the eleventh hour on June 30, 2023, just one day prior to the scheduled enforcement start date of July 1, 2023. Importantly, while this ruling provides a brief respite from the new CCPA regulations, it does not affect enforcement of the recent statutory changes to the CCPA, which became effective on January 1, 2023.
- A California state court delayed the enforcement date of the new CCPA regulations, issued in March 2023, until March 29, 2024.
- Statutory changes under the CCPA took effect on January 1, 2023, and remain in force, despite the court’s ruling.
- The CCPA regulations address a variety of topics, including data processing agreements, requirements surrounding honoring opt-out signals and providing opt-out mechanisms, dark patterns, and handling consumer data requests.
Background of CCPA/CPRA
The California Privacy Rights Act (CPRA) implemented sweeping changes to the CCPA, California’s landmark consumer privacy law, which first became effective on January 1, 2020. These statutory changes (effective January 1, 2023) remain in force despite the court’s ruling and include, among other things:
Major Expansion of CCPA Applicability
The CPRA sunset the exemption for data related to employees, owners, directors, officers, and independent contractors under the CCPA as of January 1, 2023. This means that the requirements surrounding disclosure, collection, safeguarding, and sharing of personal information now apply to employees, prospective employees, and others, in addition to the traditional CCPA consumer rights now applying to these individuals.
Creation of the California Privacy Protection Agency
The CPRA established the California Privacy Protection Agency, an independent agency that is tasked with implementing and enforcing the CCPA. The agency is led by a five-member board that has assumed CCPA rulemaking duties from the California attorney general’s office with an annual $10 million appropriation (cost adjusted).
Additional Rights for Consumers
The CPRA included additional or expanded rights, such as the right to opt out of sharing, the right to correct inaccurate personal information, and the right to limit the use of personal information. The CPRA also included more specific requirements surrounding businesses’ obligations with respect to disclosure of and honoring these rights.
Increased Disclosure Obligations
The CPRA required additional information to be included in privacy policies, such as the categories of sharing and sources of information, the purposes for collecting, selling, or sharing personal information, the categories of third parties to whom information is disclosed, and the retention periods for various categories of personal information, including particular methods to opt out of the sharing and/or sale of certain personal information. Moreover, the CPRA now includes transparency requirements surrounding automated decision-making processes, including requirements to provide meaningful information about the logic involved and a description of the likely outcomes of these processes.
Data Protection Impact Assessments
The CPRA requires data protection assessments for data processing activities that could present “significant risk to consumers’ privacy or security.” The CPRA includes certain generalized factors to consider in making a determination regarding what constitutes a “significant risk to consumers’ privacy or security,” although more specific requirements will be outlined in future rulemaking sessions.
The above changes are only a sample of the numerous changes effected by the CPRA amendments. Note that the statutory requirements of the CCPA (including CPRA amendments) remain in full force and effect as of January 1, 2023, with the agency having begun enforcement activities on July 1, 2023. The implementing regulations discussed below are the only portions of the CCPA for which enforcement will not begin until March 29, 2024.
Court Ruling Delaying Enforcement of CCPA Regulations
Although the CCPA required implementing regulations to be issued by July 1, 2022, the proposed regulations covering the majority of the required topics were not finalized until March 29, 2023, with enforcement expected to begin on July 1, 2023.
On March 30, 2023, the California Chamber of Commerce filed suit against the agency, arguing that the CCPA contemplated that enforcement of regulations would not occur until one year following the finalization of the regulations. The court agreed, holding that enforcement of the new CCPA regulations could not occur until one year after being finalized, effectively pushing the enforcement of the March 29, 2023, regulations to March 29, 2024. The ruling, however, does not restrict the agency or the attorney general’s office from enforcing statutory changes to the CCPA that came into effect on January 1, 2023.
The March 29, 2023, regulations address a variety of topics, including data processing agreements, requirements surrounding honoring opt-out signals and providing opt-out mechanisms, dark patterns, and handling consumer data requests. Of the fifteen new areas where the CPRA requires additional implementing regulations, the March 29, 2023, regulations address twelve of these areas, with the remaining three—privacy impact assessments, automated decision-making, and cybersecurity audits—to be hashed out in future regulations expected to be issued by the end of 2023. In light of the above decision, any additional regulations will likely be subject to a one-year grace period before enforcement begins. However, given the numerous compliance obligations imposed by the newly enacted regulations, businesses may want to begin preparing for these new requirements well in advance of the March 2024 enforcement deadline.
Follow and Subscribe