Skip to main content
close search
site logo

California privacy agency can enforce updated regulations, court rules

Businesses are urged to review their privacy practices to make sure they are in compliance with all elements of the California Consumer Privacy Act.

Published Feb. 14, 2024
Lyle Moran's headshot
Lyle Moran Reporter
A white computer keyword with a lock, a California shape and the text California Consumer Privacy Act
A white computer keyword with a lock, a California shape and the text California Consumer Privacy Act. Cristian Storto Fotografia via Getty Images

The California Privacy Protection Agency has been given court approval to begin enforcing updates to the state’s landmark consumer privacy law that had previously been put on hold until late March.

The agency-approved regulations were anticipated to go into effect last July 1, but a Sacramento Superior Court judge blocked their implementation in response to a lawsuit from the California Chamber of Commerce.

The state privacy agency known as the CPPA and the California Attorney General’s office appealed the judge’s decision about enforcement to the state’s Third District Court of Appeal.

In a unanimous opinion issued Friday, the appeals court ruled that the regulations the CPPA approved to harmonize a voter-backed ballot measure with the California Consumer Privacy Act could be enforced without a one-year delay following their approval.

“The statute does not unambiguously require a one-year gap between approval and enforcement regardless of when the approval occurs, and nothing in the relevant material presented for our review signals that the voters intended such a gap,” the Third District Court of Appeal opinion said.

The text of the ballot measure known as Proposition 24 “makes clear that, in approving the initiative measure, the voters intended to strengthen and protect consumers’ privacy rights regarding the collection and use (including sale) of their personal information,” the court said. 

Officials at the California Privacy Protection Agency praised the recent court decision.

This ruling ensures all aspects of the regulations adopted by the California Privacy Protection Agency last year are again enforceable, just as the voters intended when they enacted Proposition 24,” said Ashkan Soltani, the CPPA’s executive director, in a CPPA press release.

Michael Macko, the CPPA’s deputy director of enforcement, said his team “stands ready to take it from here.”

“This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations,” Macko said in the press release.

The California Chamber of Commerce had previously pointed to language in Prop. 24 that it argued indicated voters wanted businesses to have one year from the adoption of final privacy regulations before enforcement could begin. 

“While we are pleased to see that the court recognized that the Agency failed to comply with the express terms of the statutory provision regarding the adoption of final regulations, we are disappointed that the Court of Appeal did not agree on a remedy for the Agency’s failure to comply,” the chamber said in a statement. “CalChamber is reviewing the opinion in greater detail and is considering its options.”

Under Sacramento Superior Court Judge James Arguelles’ ruling last summer, regulations that California’s Office of Administrative Law approved last March could not have been enforced until March 29, 2024. 

The Chamber of Commerce’s case focused on the CPPA’s adoption of regulations in 12 of 15 subject matter areas.

Prior to the Third District’s ruling, regulations in the other three areas could not have been enforced until a year after they were formally approved. The three outstanding areas were cybersecurity audits, risk assessments and automated decision-making technology.

The appeals court wrote that it would “allow the trial court to consider any remaining issues concerning the propriety of compelling more prompt development of regulations.” Under Proposition 24, final regulations for all 15 areas were supposed to be adopted by July 1, 2022. 

Business impact

Attorneys at Ropes & Gray said the appeals court’s ruling in the privacy case “should create a sense of urgency for businesses who were relying on a longer runway to comply with CCPA regulations.”

The lawyers said businesses should also keep in mind the ruling’s impact on the California privacy agency’s planned regulations regarding automated decision-making, privacy impact assessments and cybersecurity audits.

“Among other things, they would require many businesses to conduct new, independent audits of their cybersecurity programs and impose broad rules around the use of technologies that could affect the development of artificial intelligence-based systems,” said a Ropes & Gray blog post. “Accordingly, businesses that have not implemented steps to comply should move swiftly to update compliance programs.”

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Editors' picks
Latest in Lawsuits and Litigation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell