On February 9, the California Third District Court of Appeals issued a decision reversing the Sacramento Superior Court’s ruling from June 30, 2023 to stay enforcement of the CPRA Regs until March 29, 2024 (which we blogged about here). The Court of Appeals found that CPRA does not require a one-year gap between approval and enforcement, and that the Superior Court erred in staying enforcement until one year after the CPRA Regs were finalized. This landmark decision means that California regulators can begin enforcing the CPRA Regs immediately.

Implications for Business. The immediate enforcement of the CPRA Regs may come as a shock to companies that thought they had more time to address compliance. The CPRA Regs introduce obligations beyond those set out in the underlying statute, including relating to purpose evaluation, consumer rights, opt-out preference signals, and dark patterns. Last year we posted a blog covering many of these new obligations – check out our blog here. Companies will need to act quickly to comply with these new obligations.

Implication for Regulators. California regulators must be thrilled with the decision. Given that the CPRA Regs were supposed to take effect on July 1, 2023, we anticipate that regulators will expect companies to be in compliance immediately.  

Implications for Subsequent Regs. The CPPA has been actively working on draft Regs concerning cybersecurity audits, risk assessments, automated decision-making technology (ADMT). We blogged about the CPPA’s December 2023 board meeting here and draft ADMT Regs here. Many in the privacy community assumed that these next sets of Regs would not be approved until mid-2024 and therefore not take effect until mid-2025 (one year after approval). This decision speeds up the timeline considerably. Companies need to carefully monitor the draft Regs, and should expect to be ready to comply with them later this year.

We are actively working with clients to address the CPRA Regs. If you have any questions, please reach out.