This is an update to our original post on June 29, 2023.
In a surprising turn of events, on June 30, 2023, the Sacramento Superior Court held that the CPRA Regs cannot be enforced until March 29, 2024. The Court found that voters intended a 12-month period between finalization of the Regs and enforcement. As the Regs were not finalized until March 29, 2023, they cannot be enforced until March 29, 2024. Below are some quick thoughts:
- The practical impact of the stay is likely limited. The CPRA statutory text still became enforceable on July 1, 2023. While the CA AG and CPPA are not able to enforce the CPRA Regs, we expect they will look to the Regs for guidance on how to enforce the CPRA statutory text. Companies that have actively prepared for the CPRA Regs should continue to act as if the Regs are already enforceable.
- The good news is that the stay will give companies more time to address any deficiencies with their compliance with the CPRA Regs. This will particularly help companies that need more time for complex aspects of the CPRA Regs, such as compliance with Section 7002.
- The CPPA is still working on a second part of the Regs to address cybersecurity audits, risk assessments, and automated decision-making. The fact that this second part has not been finalized will not impact enforcement of the first part. The first part of the Regs can be enforced on March 29, 2024, and the second part can be enforced one year after it is finalized.
- The CPPA has announced a board meeting for July 14, 2023. We expect to learn more about the impact of the Court order at that time.
The Petition is granted, in part. Enforcement of any final Agency regulation implemented pursuant to Subdivision (d) will be stayed for a period of 12 months from the date that individual regulation becomes final, as described above. The Court declines to mandate any specific date by which the Agency must finalize regulations.