This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

CPRA enforcement delayed until at least March 29, 2024

Following a California Chamber of Commerce lawsuit, a Superior Court of California judge has delayed enforcement of the California Privacy Rights Act (CPRA) regulations until March 29, 2024. The suit argued that California voters intended for the California Privacy Protection Agency (CPPA) to issue regulations at least one year prior to the enforcement date on July 1, 2022. Instead, the regulations were issued on March 29, 2023 - some 9 months late. The court agreed with the plaintiff and has therefore delayed enforcement until one year following the issuance of the existing regulations, i.e., until March 29, 2024. 

Moreover, the court said that the CPPA could not enforce areas of the law relating to portions of the CPRA that have not been addressed by the current regulations until at least one year after regulations are issued. Areas that have not been addressed include regulations for cybersecurity audits, risk assessments, and automated decision making. 

The 1 year delay between regulations and enforcement also appears to apply to employment information and business-to-business information. Both of these were subject to temporary exceptions that expired on January 1, 2023, but for which there are still no formal regulations. The CPPA has indicated these regulations would likely be issued after the current drafting of those for cybersecurity audits, risk assessments, and automated decision making. The 1 year delay requirement would also appear to apply to the "clean up" of existing regulations the CPPA suggested when the regulations were submitted to the California Office of Administrative Law. 

Businesses that may not have fully completed their compliance efforts with the CPRA will welcome the temporary reprieve. Nevertheless, businesses should continue to work towards compliance - the 9 month delay (minimum) in enforcement will go by quickly. 

In response to a lawsuit filed by the California Chamber of Commerce, the Sacramento Superior Court has ruled that the California Privacy Protection Agency (CPPA) must delay enforcement of any individual regulation for a one-year period following the date it goes into effect. The CPPA was to have published complete and final regulations by July 1, 2022 with an enforcement date of July 1, 2023. However, the CPPA had not promulgated a final and complete set of regulations in the timeframe called for in the measure nor by the time the litigation was filed in March 2023. Following today’s ruling, the CPPA must create enforcement deadlines that tie directly to the implementation date of each individual rule—a full 12 months following the date they become effective.


cpra, privacy, privacylaw, innovative technology