Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

A Breathing Room for Businesses : Court Decision Postpones CPRA Enforcement Until March 2024

Download: CPRA Decision-Making Guide
Contributors

Anas Baig

Product Marketing Manager at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

This post is also available in: Brazilian Portuguese

In a recent turn of events, the Superior Court of Sacramento County, California, postponed the enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024.

The court’s order came just a day before the regulation's enforcement date, i.e., July 1, 2023.

The much-anticipated delay in the enforcement date gives businesses enough time to understand CPRA regulations better and implement the associated provisions around risk assessments, consent preferences, global privacy controls, data subject requests, dark patterns, and opt-out mechanisms.

Background

The state of California saw its first-ever data privacy regulation in 2018 under the California Consumer Privacy Act (CCPA) banner. It was designed and enforced to protect the consumers’ data privacy residing in the state. However, the regulation fell short of satisfying Californians about their data privacy. Consequently, it led them to initiate Proposition 24 through a ballot initiative which resulted in the passage of the California Privacy Rights Act (CPRA), which significantly amended the CCPA.

The CPRA came into effect on January 1, 2023, with enforcement scheduled to be initiated on July 1, 2023, by the newly introduced regulatory authority, California Privacy Protection Agency (CPPA). The CPPA was tasked to promulgate the final regulations and enforce the law along with the California Department of Justice. The CPRA (Cal. Civ. Code § 1798.185, subd. (d)) clearly states that the “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022.” However, the first of at least two drafts of regulations were finalized by the CPPA nine months later than the actual date, i.e., March 23, 2023.

Concerned by businesses that would be fairly impacted by the short, three-month deadline, the California Chamber of Commerce (CalChamber) filed a complaint with the Sacramento County Superior against CPPA’s delay in finalizing the draft regulation and the lack of time for the affected businesses to come in compliance with the new rules. In its June hearing, the Court issued its decision stating, “The plain language of the statute indicates the agency was required to have final regulations in place by 1 July 2022.” The Judge added, “The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations."

Consequently, the Court granted the CalChamber an injunction and delayed the enforcement date of the first draft of regulations, finalized on March 30, 2023, until March 29, 2024. The court emphasized that the statute’s intent was that the administrative enforcement of the regulations begin after the lapse of 12 months from the effective date of the regulations, and a similar approach will be followed for the remaining yet-to-be-issued regulations under the CPRA.

What It Means for Businesses

Only CPRA Regulations Are Delayed

Although it is a great relief for businesses making haste to comply with the delayed regulations, they still have to proactively maintain compliance with their obligations under the CPRA, which went into effect on January 1, 2023, and is enforceable by the CPPA from July 1, 2023. The Court issued a balanced order for both the CalChamber and the CPPA, clearly stating that the issued order for the delay is restricted to only March 2023’s finalized CPRA regulations, while the rest of the CCPA regulations from 2020 and the CPRA provisions can still be enforced by the CPPA.

Businesses Have a Year for Compliance Preparation

In preparation for the delayed CPRA regulations, organizations must first decide whether they hit the CPRA compliance threshold. Apart from the regulations that are yet to be enforced on March 29, 2024, businesses must also prepare themselves for the provisions of the main statutes enforceable by the CPPA. Here are some best practices that companies must consider:

  • Ensure your employees' PI has the same data privacy policies and controls as Consumer Personal Information.
  • Conduct data mapping across your data landscape to discover and catalog sensitive personal information (SPI) for additional security.
  • Make room for yearly Risk Assessments and Cybersecurity audits (CSAs).
  • Streamline and automate the amended and new data subject privacy rights.
  • Prepare policies for Data Minimization, Storage Limitation, and Purpose.
  • Update in an automated fashion the Privacy Notices for every user, including but not limited to consumers, employees, job applications, etc.

To learn more, Download Whitepaper: 7 Essential Tips to Prepare for the CPRA

Streamline CPRA Compliance Efforts with Securiti

Considering the delay in the enforcement deadline, covered businesses must remain on their toes and continue their efforts toward CPRA compliance. It is also to be noted that two other state privacy laws, the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA), went into effect on July 1, 2023. This marks the US’s relentless effort to maintain users’ data privacy, further necessitating a comprehensive yet automated approach to privacy compliance.

Securiti’s PrivacyCenter.cloud is built to help you ensure just that!

The PrivacyCenter.cloud helps businesses reduce the complexity of compliance with global data privacy laws while building trust with consumers. Enable transparency with fully-automated Privacy Notices, honor consumers’ preferences with cookie consent banners, and build user trust with automated GPC signals detection and individual privacy rights’ fulfillment.

Set up a fully functional Privacy Center and link it to your website or mobile application in minutes.

Create your Privacy Center now to comply with various complex and evolving global privacy laws easily.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Shrink The Blast Radius: Automate Data Minimization with DSPM View More
Shrink The Blast Radius
Recently, DaVita disclosed a ransomware incident that ultimately impacted about 2.7 million people, and it’s already booked $13.5M in related costs this quarter. Healthcare...
Why I Joined Securiti View More
Why I Joined Securiti
I’m beyond excited to join Securiti.ai as a sales leader at this pivotal moment in their journey. The decision was clear, driven by three...
View More
EU Publishes Template for Public Summaries of AI Training Content
The EU released the Explanatory Notice and Template for the Public Summary of Training Content for General-Purpose AI (GPAI) Models. Learn more.
Decoding Saudi Arabia’s Cybersecurity Risk Management Framework View More
Decoding Saudi Arabia’s Cybersecurity Risk Management Framework
Discover the Kingdom of Saudi Arabia’s National Framework for Cybersecurity Risk Management by the NCA. Learn how TLP, risk assessment and proactive strategies protect...
Redefining Data Privacy Careers in the Age of AI View More
Redefining Data Privacy Careers in the Age of AI
Securiti's whitepaper provides a detailed overview of the impact AI is poised to have on data privacy jobs and what it means for professionals...
View More
Financial Data & AI: A DSPM Playbook for Secure Innovation
Learn how financial institutions can secure sensitive data and AI with DSPM. Explore real-world risks, DORA compliance, responsible AI, and strategies to strengthen cyber...
Navigating the Minnesota Consumer Data Privacy Act (MCDPA) View More
Navigating the Minnesota Consumer Data Privacy Act (MCDPA): Key Details
Download the infographic to learn about the Minnesota Consumer Data Privacy Act (MCDPA) applicability, obligations, key features, definitions, exemptions, and penalties.
EU AI Act Mapping: A Step-by-Step Compliance Roadmap View More
EU AI Act Mapping: A Step-by-Step Compliance Roadmap
Explore the EU AI Act Mapping infographic—a step-by-step compliance roadmap to help organizations understand key requirements, assess risk, and align AI systems with EU...
The DSPM Architect’s Handbook View More
The DSPM Architect’s Handbook: Building an Enterprise-Ready Data+AI Security Program
Get certified in DSPM. Learn to architect a DSPM solution, operationalize data and AI security, apply enterprise best practices, and enable secure AI adoption...
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
What's
New