A Breathing Room for Businesses : Court Decision Postpones CPRA Enforcement Until March 2024

In a recent turn of events, the Superior Court of Sacramento County, California, postponed the enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024.

The court’s order came just a day before the regulation's enforcement date, i.e., July 1, 2023.

The much-anticipated delay in the enforcement date gives businesses enough time to understand CPRA regulations better and implement the associated provisions around risk assessments, consent preferences, global privacy controls, data subject requests, dark patterns, and opt-out mechanisms.

Background

The state of California saw its first-ever data privacy regulation in 2018 under the California Consumer Privacy Act (CCPA) banner. It was designed and enforced to protect the consumers’ data privacy residing in the state. However, the regulation fell short of satisfying Californians about their data privacy. Consequently, it led them to initiate Proposition 24 through a ballot initiative which resulted in the passage of the California Privacy Rights Act (CPRA), which significantly amended the CCPA.

The CPRA came into effect on January 1, 2023, with enforcement scheduled to be initiated on July 1, 2023, by the newly introduced regulatory authority, California Privacy Protection Agency (CPPA). The CPPA was tasked to promulgate the final regulations and enforce the law along with the California Department of Justice. The CPRA (Cal. Civ. Code § 1798.185, subd. (d)) clearly states that the “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022.” However, the first of at least two drafts of regulations were finalized by the CPPA nine months later than the actual date, i.e., March 23, 2023.

Concerned by businesses that would be fairly impacted by the short, three-month deadline, the California Chamber of Commerce (CalChamber) filed a complaint with the Sacramento County Superior against CPPA’s delay in finalizing the draft regulation and the lack of time for the affected businesses to come in compliance with the new rules. In its June hearing, the Court issued its decision stating, “The plain language of the statute indicates the agency was required to have final regulations in place by 1 July 2022.” The Judge added, “The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations."

Consequently, the Court granted the CalChamber an injunction and delayed the enforcement date of the first draft of regulations, finalized on March 30, 2023, until March 29, 2024. The court emphasized that the statute’s intent was that the administrative enforcement of the regulations begin after the lapse of 12 months from the effective date of the regulations, and a similar approach will be followed for the remaining yet-to-be-issued regulations under the CPRA.

What It Means for Businesses

Only CPRA Regulations Are Delayed

Although it is a great relief for businesses making haste to comply with the delayed regulations, they still have to proactively maintain compliance with their obligations under the CPRA, which went into effect on January 1, 2023, and is enforceable by the CPPA from July 1, 2023. The Court issued a balanced order for both the CalChamber and the CPPA, clearly stating that the issued order for the delay is restricted to only March 2023’s finalized CPRA regulations, while the rest of the CCPA regulations from 2020 and the CPRA provisions can still be enforced by the CPPA.

Businesses Have a Year for Compliance Preparation

In preparation for the delayed CPRA regulations, organizations must first decide whether they hit the CPRA compliance threshold. Apart from the regulations that are yet to be enforced on March 29, 2024, businesses must also prepare themselves for the provisions of the main statutes enforceable by the CPPA. Here are some best practices that companies must consider:

• Ensure your employees' PI has the same data privacy policies and controls as Consumer Personal Information.
• Conduct data mapping across your data landscape to discover and catalog sensitive personal information (SPI) for additional security.
• Make room for yearly Risk Assessments and Cybersecurity audits (CSAs).
• Streamline and automate the amended and new data subject privacy rights.
• Prepare policies for Data Minimization, Storage Limitation, and Purpose.
• Update in an automated fashion the Privacy Notices for every user, including but not limited to consumers, employees, job applications, etc.

To learn more, Download Whitepaper: 7 Essential Tips to Prepare for the CPRA

Streamline CPRA Compliance Efforts with Securiti

Considering the delay in the enforcement deadline, covered businesses must remain on their toes and continue their efforts toward CPRA compliance. It is also to be noted that two other state privacy laws, the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA), went into effect on July 1, 2023. This marks the US’s relentless effort to maintain users’ data privacy, further necessitating a comprehensive yet automated approach to privacy compliance.

Securiti’s PrivacyCenter.cloud is built to help you ensure just that!

The PrivacyCenter.cloud helps businesses reduce the complexity of compliance with global data privacy laws while building trust with consumers. Enable transparency with fully-automated Privacy Notices, honor consumers’ preferences with cookie consent banners, and build user trust with automated GPC signals detection and individual privacy rights’ fulfillment.

Set up a fully functional Privacy Center and link it to your website or mobile application in minutes.

Create your Privacy Center now to comply with various complex and evolving global privacy laws easily.