A “significant win for Californians’ privacy rights” is how the California Privacy Protection Agency (“CPPA”) has welcomed in a press release that their authority has been restored to enforce regulations implementing the California Privacy Rights Act (“CPRA”) which were published on March 29, 2023 and originally due to be enforceable from July 1, 2023. The CPRA, which has been effective since January 1, 2023, made amendments to the existing California Consumer Privacy Act (“CCPA”).
In June 2023, a California trial court decided in favour of the California Chamber of Commerce which had brought a lawsuit claiming that the CPPA was not permitted to enforce the regulations until March 2024. The Chamber argued that this would “allow sufficient time for affected businesses to become compliant with the regulations.” The trial court agreed that enforcement should be delayed for one year until March 2024 on the basis that voters had intended for a twelve-month implementing period.
However, on February 9, 2024, the California Third District Court of Appeal overturned the trial court’s decision and found that the regulations should have been enforceable as from July 1, 2023. The Appellate Court said that in order for a one-year delay to enforcement to have been mandatory, “explicit and forceful language” to this effect would have been required.
The impact of this reversal is significant for businesses that fall within the scope of the CCPA / CPRA. It confirms that the CPPA now has the ability to take enforcement action, and that future regulations implementing the CCPA/CPRA will also not be subject to a delay to enforcement. Michael Macko, Deputy Director of Enforcement for the CPPA, commented: “We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here”.
Businesses within the scope of the California privacy laws should carefully review their privacy practices and contracts to ensure compliance with the regulations. This includes:
- ensuring that contracts include the required terms for “service providers”, “contractors” or “third parties”, including granular specification of business purposes;
- implementing the limitations imposed on “service providers” and “contractors” in combining data received from the “business” with data obtained from third parties or directly from the individuals;
- ensuring consents are provided freely, rather than using “dark patterns” to encourage individuals to consent;
- conducting appropriate due diligence on counterparties to whom data is disclosed.
If you have any questions about this decision or compliance with California privacy laws, please reach out to Anna Casonato at acasonato@blegalgroup.com.