CPRA enforcement delayed until at least March 29, 2024

Following a California Chamber of Commerce lawsuit, a Superior Court of California judge has delayed enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024. The suit argued that California voters intended for the California Privacy Protection Agency (CPPA) to issue regulations at least one year prior to the enforcement date on July 1, 2022. Instead, the regulations were issued on March 29, 2023 - some 9 months late. The court agreed with the plaintiff and has therefore delayed enforcement until one year following the issuance of the existing regulations, i.e., until March 29, 2024. 

Moreover, the court said that the CPPA could not enforce areas of the law relating to portions of the CPRA that have not been addressed by the current regulations until at least one year after regulations are issued. Areas that have not been addressed include regulations for cybersecurity audits, risk assessments, and automated decision making. 

The 1 year delay between regulations and enforcement also appears to apply to employment information and business-to-business information. Both of these were subject to temporary exceptions that expired on January 1, 2023, but for which there are still no formal regulations. The CPPA has indicated these regulations would likely be issued after the current drafting of those for cybersecurity audits, risk assessments, and automated decision making. The 1 year delay requirement would also appear to apply to the "clean up" of existing regulations the CPPA suggested when the regulations were submitted to the California Office of Administrative Law. 

Businesses that may not have fully completed their compliance efforts with the CPRA will welcome the temporary reprieve. Nevertheless, businesses should continue to work towards compliance - the 9 month delay (minimum) in enforcement will go by quickly.