Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

A Breathing Room for Businesses : Court Decision Postpones CPRA Enforcement Until March 2024

Download: CPRA Decision-Making Guide
Contributors

Anas Baig

Product Marketing Manager at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

This post is also available in: Brazilian Portuguese

In a recent turn of events, the Superior Court of Sacramento County, California, postponed the enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024.

The court’s order came just a day before the regulation's enforcement date, i.e., July 1, 2023.

The much-anticipated delay in the enforcement date gives businesses enough time to understand CPRA regulations better and implement the associated provisions around risk assessments, consent preferences, global privacy controls, data subject requests, dark patterns, and opt-out mechanisms.

Background

The state of California saw its first-ever data privacy regulation in 2018 under the California Consumer Privacy Act (CCPA) banner. It was designed and enforced to protect the consumers’ data privacy residing in the state. However, the regulation fell short of satisfying Californians about their data privacy. Consequently, it led them to initiate Proposition 24 through a ballot initiative which resulted in the passage of the California Privacy Rights Act (CPRA), which significantly amended the CCPA.

The CPRA came into effect on January 1, 2023, with enforcement scheduled to be initiated on July 1, 2023, by the newly introduced regulatory authority, California Privacy Protection Agency (CPPA). The CPPA was tasked to promulgate the final regulations and enforce the law along with the California Department of Justice. The CPRA (Cal. Civ. Code § 1798.185, subd. (d)) clearly states that the “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022.” However, the first of at least two drafts of regulations were finalized by the CPPA nine months later than the actual date, i.e., March 23, 2023.

Concerned by businesses that would be fairly impacted by the short, three-month deadline, the California Chamber of Commerce (CalChamber) filed a complaint with the Sacramento County Superior against CPPA’s delay in finalizing the draft regulation and the lack of time for the affected businesses to come in compliance with the new rules. In its June hearing, the Court issued its decision stating, “The plain language of the statute indicates the agency was required to have final regulations in place by 1 July 2022.” The Judge added, “The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations."

Consequently, the Court granted the CalChamber an injunction and delayed the enforcement date of the first draft of regulations, finalized on March 30, 2023, until March 29, 2024. The court emphasized that the statute’s intent was that the administrative enforcement of the regulations begin after the lapse of 12 months from the effective date of the regulations, and a similar approach will be followed for the remaining yet-to-be-issued regulations under the CPRA.

What It Means for Businesses

Only CPRA Regulations Are Delayed

Although it is a great relief for businesses making haste to comply with the delayed regulations, they still have to proactively maintain compliance with their obligations under the CPRA, which went into effect on January 1, 2023, and is enforceable by the CPPA from July 1, 2023. The Court issued a balanced order for both the CalChamber and the CPPA, clearly stating that the issued order for the delay is restricted to only March 2023’s finalized CPRA regulations, while the rest of the CCPA regulations from 2020 and the CPRA provisions can still be enforced by the CPPA.

Businesses Have a Year for Compliance Preparation

In preparation for the delayed CPRA regulations, organizations must first decide whether they hit the CPRA compliance threshold. Apart from the regulations that are yet to be enforced on March 29, 2024, businesses must also prepare themselves for the provisions of the main statutes enforceable by the CPPA. Here are some best practices that companies must consider:

  • Ensure your employees' PI has the same data privacy policies and controls as Consumer Personal Information.
  • Conduct data mapping across your data landscape to discover and catalog sensitive personal information (SPI) for additional security.
  • Make room for yearly Risk Assessments and Cybersecurity audits (CSAs).
  • Streamline and automate the amended and new data subject privacy rights.
  • Prepare policies for Data Minimization, Storage Limitation, and Purpose.
  • Update in an automated fashion the Privacy Notices for every user, including but not limited to consumers, employees, job applications, etc.

To learn more, Download Whitepaper: 7 Essential Tips to Prepare for the CPRA

Streamline CPRA Compliance Efforts with Securiti

Considering the delay in the enforcement deadline, covered businesses must remain on their toes and continue their efforts toward CPRA compliance. It is also to be noted that two other state privacy laws, the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA), went into effect on July 1, 2023. This marks the US’s relentless effort to maintain users’ data privacy, further necessitating a comprehensive yet automated approach to privacy compliance.

Securiti’s PrivacyCenter.cloud is built to help you ensure just that!

The PrivacyCenter.cloud helps businesses reduce the complexity of compliance with global data privacy laws while building trust with consumers. Enable transparency with fully-automated Privacy Notices, honor consumers’ preferences with cookie consent banners, and build user trust with automated GPC signals detection and individual privacy rights’ fulfillment.

Set up a fully functional Privacy Center and link it to your website or mobile application in minutes.

Create your Privacy Center now to comply with various complex and evolving global privacy laws easily.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
View More
Data Security & GDPR Compliance: What You Need to Know
Learn the importance of data security in ensuring GDPR compliance. Implement robust data security measures to prevent non-compliance with the GDPR.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New