On February 9, a California appellate court issued a decisive ruling in favor of the California Privacy Protection Agency (the Agency), allowing the state to immediately begin enforcement of its new regulations, effectively overturning a prior decision that had delayed the enforcement of regulations created under the California Consumer Privacy Act (CCPA) until March 29, 2024. This judgment rejects the argument that the CCPA mandated a one-year grace period for businesses to comply with the new regulations, clarifying that the statute does not explicitly require such a delay for enforcement to commence. The court merely emphasized the Agency’s duty to evaluate various factors when contemplating enforcement of the regulations, including the elapsed time since the regulatory requirements were established and the business’s genuine efforts toward compliance.

The ruling carries significant implications for businesses previously relying on an extended timeline for compliance, urging an immediate review and update of privacy practices to adhere to the regulations. It not only impacts the enforcement of the Agency’s March 2023 regulations but also signals a broader precedent for the swift enforcement of future regulations, including currently pending regulations concerning automated decision-making, privacy impact assessments, and cybersecurity audits.

The Impact on Clients

In light of the appellate court ruling, it is imperative for businesses that previously relied on an extended timeline for compliance to reassess and, if necessary, update applicable aspects of their privacy program to align with the current CCPA regulations without delay.

Following this decision, the Deputy Director of Enforcement for the Agency, Michael Macko, stated, “We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here. This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

Given these developments, businesses that have yet to take proactive steps toward compliance must act promptly to reassess and enhance their compliance programs. This entails a thorough review of existing privacy policies and procedures, ensuring they meet the standards set forth in the March 2023 regulations and are robust enough to adapt to the additional requirements anticipated from the new rules under consideration.

Taking Action

It is crucial for businesses to quickly adapt to the CCPA, which are now enforceable. In light of this, we recommend that covered businesses revisit their compliance strategies and immediately consider the following streamlined, actionable compliance strategy:

• Privacy Policy Updates: Review and update your privacy policies and notices to customers, job applicants, and current employees to reflect the more burdensome requirements of the California Privacy Rights Act (CPRA) regulations fully. This update should detail, among other things, the categories of personal information collected, the business purposes for processing and further disclosing, retention periods, and how consumers can exercise their rights under the CCPA.
• Contractual Audits: Audit and update all contracts with service providers, vendors, subcontractors, and any third parties that have access to consumer or employee data. Ensure these contracts are updated to incorporate required CCPA/CPRA provisions to safeguard against potential compliance gaps, such as disclosing personal data to a vendor being unexpectedly construed as selling personal data.
• Digital Compliance Assurance: Assess and adjust your website’s cookie management and privacy practices to meet CCPA/CPRA requirements if your use of cookies may be considered a sale or sharing of personal information for purposes of cross-context behavioral advertising. This includes ensuring your cookie banners offer clear choices to users and reevaluating your website and online interfaces to eliminate any dark patterns that might impair consumer autonomy or choice. Ensure your digital practices, including cookie consent and data collection disclosures, are transparent and compliant.
• Process Optimization for Consumer Rights Requests: Enhance your mechanisms for receiving and processing CCPA consumer rights requests to be efficient and compliant with the regulations. This involves establishing multiple accessible channels for requests, such as via opt-out links and honoring browser opt-out preference signals such as the Global Privacy Control, and ensuring your system can effectively record and track such requests.

The Road to Today

After the passage of the landmark CCPA, state privacy advocacy groups successfully introduced ballot initiative Prop 24, also known as the CPRA, which voters approved in November 2020. The CPRA not only amended and expanded the CCPA but also established the first in the nation, California Privacy Protection Agency (Agency), with the mandate to adopt comprehensive regulations by July 1, 2022, and to start enforcing these regulations by July 1, 2023.

However, the Agency encountered delays in its rulemaking and did not meet the July 1, 2022, deadline; instead, publishing its regulations on March 29, 2023. In response to the delay, the California Chamber of Commerce filed a lawsuit against the Agency, arguing for a one-year postponement of enforcement from the date the Agency adopted the required regulations to give businesses time to comply. In June 2023, a California Superior Court ruled in favor of the California Chamber of Commerce. That June 2023 ruling also established that any future regulations issued by the Agency would also be subject to a 12-month stay of enforcement from their date of finalization.

The Agency appealed the Superior Court’s decision. In the meantime, the Agency maintained that, even without enforceable regulations, it retained the authority to enforce the underlying statutory terms of the CCPA. It proceeded to conduct investigations into compliance but stopped short of issuing any fines or penalties under the CCPA framework during this period.

Concurrently, and underscoring its commitment to upholding the CCPA’s consumer rights provisions despite the ongoing legal and regulatory debates, the California Attorney General exercised its independent statutory enforcement powers with respect to the underlying CCPA statute. A notable instance of this enforcement power was the Attorney General’s investigation and subsequent extraction of a $1.2 million settlement with Sephora upon allegations that the company failed to comply with consumer requests to opt out of data collection and sharing, including a failure to honor browser-enabled opt-out preference signals.

The Appellate Court’s Reversal

On February 9, a California appellate court ruled in favor of the Agency, overturning the Superior Court’s decision that had postponed the enforcement of the CCPA regulations until March 29, 2024. That court rejected the California Chamber of Commerce’s argument that a one-year delay between the adoption of regulations and the start of enforcement aligned with statutory requirements and voter intent. Rather, the court determined that the statutes of the CCPA did not explicitly mandate such a delay. The court explicitly found that there was no clear legislative or voter intention supporting the necessity of a delay.

Instead, the court highlighted the Agency’s responsibility to consider various factors when deciding to initiate investigations or enforcement actions. This includes the time elapsed since the regulatory requirements came into effect and the efforts made by businesses to comply in good faith.

Thus, businesses should act swiftly to reassess, finalize, and strengthen their compliance programs, paying particular attention to the forthcoming regulations’ broader implications on operations, especially concerning the use of artificial intelligence.

While the ruling affects the enforcement of the Agency’s March 2023 regulations, it also sets the precedent for how future regulations currently under consideration by the Agency will be enforced. These forthcoming rules delve into areas such as automated decision-making, privacy impact assessments, and cybersecurity audits, signaling another significant expansion of the regulatory landscape. Specifically, many businesses will be required to conduct thorough, independent audits of their cybersecurity measures and navigate comprehensive regulations concerning the deployment of artificial intelligence in their business operations.

Moreover, it is crucial for businesses to understand the broader implications of these forthcoming regulations on their operations, particularly regarding the use of artificial intelligence. Preparing for these changes may involve engaging in strategic planning sessions, conducting internal audits, and leveraging legal and technical advice to effectively navigate the complexities of compliance.