A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024.

By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli

On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Consumer Privacy Act (CPRA), and the accompanying regulations issued by the California Privacy Protection Agency (Agency), were set to come into force, the Superior Court of California granted a petition to restore a key aspect of the voter-enacted law: covered businesses must receive a one-year grace period between final adoption and enforcement of the CCPA regulations. Certain forthcoming regulations will also receive a one-year grace period.

Key Takeaways

  • Businesses subject to the CCPA (as amended by the CPRA) will now have until March 29, 2024, before the Agency can enforce the CCPA regulations that were finally adopted in March 2023.
  • In addition, the ruling affirms that businesses will also have a one-year period to comply with the Agency’s regulations relating to automated decision-making, risk assessments, and cybersecurity audits once they have been adopted.
  • The ruling is limited to the mandatory regulations that the CPRA required the Agency to promulgate by July 1, 2022; it does not stay enforcement of revisions to the CCPA statute as a result of the CPRA or the existing CCPA regulations previously promulgated by the California Attorney General (which remain in effect until the amended regulations become enforceable).

The ruling stems from an action brought by the California Chamber of Commerce (Chamber) against the Agency, which asserted that the CCPA expressly envisions a one-year timeframe between adoption of final versions of the law’s required regulations (by July 1, 2022), and the commencement of enforcement of those regulations (on July 1, 2023). Specifically, the Chamber cited Section 1798.185(d), which states:

The timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022. Beginning the later of July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking under this title, the authority assigned to the Attorney General to adopt regulations under this section shall be exercised by the California Privacy Protection Agency. Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.”

(Civ. Code § 1798.185, subd. (d) [emphasis added].)

The Agency had not adopted final regulations by July 1, 2022. To recap the history of the CCPA’s rulemaking process, the Agency published the first draft of its proposed regulations, covering 12 of the 15 topics required by the CCPA, for public comment on July 8, 2022 — a week after the mandated deadline to have finalized and adopted all required regulations. After a series of additional amendments and notice and comment, the Agency finally adopted the regulations relating to the 12 topics on March 29, 2023, nine months after the statutory deadline. Despite the delay, the Agency maintained that its enforcement would commence on July 1, 2023, leading to the petition filed by the Chamber.

The Chamber argued that the Agency’s adoption of regulations on March 29, 2023, and plan to enforce on July 1, 2023, ignored the CCPA’s mandated timeline and unfairly prejudiced covered businesses by reducing the law’s intended grace period, giving businesses three months instead of one year to update their systems, policies, contracts, and practices to comply with 65 pages of regulations. The Chamber sought judicial intervention to restore the one-year timeframe set forth in the statute.

The court agreed, finding that the Agency cannot ignore one date while enforcing the other, and noting that “the very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court determined that the express language of the CCPA demonstrated the voters’ intent to give businesses a period of one year from final adoption to enforcement to allow for sufficient time for compliance. As a result, the court stayed the Agency’s enforcement of any required CCPA regulation until 12 months after the regulation was adopted. The court then clarified that its ruling meant the Agency could only “begin enforcing those regulations that became final on March 29, 2023 on March 29, 2024.” Likewise the Agency could only start enforcing any forthcoming regulations required by the CCPA (such as those that cover the remaining three topics relating to cybersecurity audits, risk assessments, and automated decision-making technology) one year after their final versions are adopted.

Notably, the court’s ruling applies specifically “to the mandatory areas of regulation contemplated by” the CCPA and promulgated by the Agency. The ruling does not stay enforcement of the CCPA statute (as amended by the CPRA) nor the previously passed CCPA regulations promulgated by the California Attorney General (which will remain in effect until the regulations finalized by the Agency become enforceable in March of next year).