In a noteworthy development, the enforcement of California Privacy Rights Act (CPRA) was put on hold last week after a California court ruled in favor of the California Chamber of Commerce's petition to stay enforcement of CPRA regulations. The litigation was triggered by the failure of the California Privacy Protection Agency (CPPA) to meet the statutory deadline of July 1, 2022 for adopting the final regulations.
Background: CPRA Regulations Adoption Timeline
The CPPA was expected to adopt the final regulations by the July 1, 2022 deadline, but it failed to do so. Instead, the agency was only able to finalize a subset of CPRA regulations by March 2023, with additional rules governing risk assessments, cybersecurity audits, and profiling still in progress. The California Chamber of Commerce filed suit requesting a stay of enforcement, arguing that the CPRA mandates a 12-month grace period from the date the CPPA adopts its final regulations, and the court concurred with those arguments.
Implications: CPRA Enforcement Timeline
As per the court's ruling, enforcement of the finalized regulations will now commence on March 29, 2024. Any future regulations enacted by the CPPA will also be subject to a 12-month delay from the date the regulations are finalized.
Ongoing Compliance Requirements
Although this decision represents a welcome respite for businesses, it is important to note that this delay does not affect the California Attorney General’s ability to enforce the statutory text of the CPRA. This is due to the distinction between statutes like the CPRA and the regulations that enforce them. Regulations enacted by agencies like the CPPA basically serve as compliance instructions for an underlying statute that have the force of law but are separate and distinct from the statutes they enforce. Therefore, those companies subject to the CPRA should continue their efforts to maintain compliance.
New Privacy Laws in Colorado and Connecticut
While the enforcement of the CPRA regulations has been delayed, new privacy laws have come into effect in Colorado and Connecticut as of July 1. These include an extensive set of privacy regulations adopted by the Colorado Attorney General. Hence, businesses operating in these regions need to be aware of the new requirements and make necessary adjustments to their privacy policies and practices.
Final Thoughts: CPRA Compliance Moving Forward
While the delay in the enforcement of CPRA regulations provides businesses with more time to align their practices with the regulations, it does not nullify the need for vigilance in maintaining privacy standards. Moreover, with new privacy laws in other states, companies must stay abreast of the evolving legal landscape to ensure continued compliance.
The CPRA enforcement delay presents a unique opportunity for businesses, particularly those partnered with the Blacklist Alliance, to audit their current practices, identify areas for improvement, and create robust privacy and security systems in preparation for the finalization of the CPRA regulations.
In conclusion, as we navigate these regulatory shifts; proactive, informed, and adaptive approaches will prove essential to maintaining compliance and protecting consumer privacy.