California Court of Appeals Rules CPPA Can Start Enforcing Regulations

On February 9, 2024, California’s Third District Court of Appeals ruled that the California Privacy Protection Agency (CPPA) may begin enforcing its finalized data privacy regulations immediately, overturning the lower court’s prior ruling that delayed enforcement.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), tasks the CPPA with promulgating regulations by July 1, 2022, and permits the CPPA to enforce such regulations beginning July 1, 2023. The CPPA failed to finalize the regulations by the statutory deadline, instead issuing final regulations on 12 (out of 15) subject matter areas¹ on March 29, 2023. Nevertheless, the agency still aimed to commence enforcement on July 1, 2023, leaving businesses with only three months to comply with the regulations.

The California Chamber of Commerce (the Chamber) filed suit to delay the enforcement, arguing that the voters had intended for enforcement of the regulations to take place 12 months after their finalization. The lower court agreed with the Chamber’s argument, ruling on June 30, 2023, that the CPPA must delay enforcement of the regulations it issued on March 29, 2023, until March 29, 2024.² Though the Appellate Court acknowledged that the CPPA did not meet the required deadline, it overturned the lower court’s decision based on its finding that the CCPA does not expressly mandate a one-year gap between approval of the final regulations and enforcement, and there is no basis to believe voters intended such a gap.³ Instead of March 29, 2024, the court decided that the agency’s enforcement authority should have gone into effect on July 1, 2023.

With this decision, the CPPA can now begin enforcing its regulations, instead of waiting one year after the regulations are finalized. Prior to the ruling, we have already seen CCPA enforcement activity pick up in the new year with the California Attorney General’s announcement of an investigative sweep into the CCPA compliance of streaming services on January 26, 2024. The CPPA’s press release on the ruling also appears to signal its intent to enforce the regulations with Deputy Director of Enforcement, Michael Macko stating that the decision “should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.” Companies should move quickly to examine and adapt their privacy programs (see here for our previous post on current CPPA rulemaking).

We will continue to monitor developments in this space as well as the CPPA public meetings. Please contact a member of Akin’s cybersecurity, privacy and data protection team to learn more about how these incoming regulations may affect your company.

^{1 The three remaining areas concern cybersecurity audits, risk assessments and automated decision-making technology.}

^{2 California Chamber of Commerce v. California Privacy Protection Agency, 34-2023-80004106-CU-WM-GDS (Cal. Super. June 30, 2023) available at (https://www.akingump.com/a/web/t7mbsz8AwtcTyWt1U4Srr5/california_chamber_of_commerce_v_california_privacy_protection_agency.pdf).}

^{3 California Privacy Protection Agency v. Super. Ct. of Sacramento Cnty., C099130 (Cal. Ct. App. February 9, 2024), available at (https://www.akingump.com/a/web/6ZGnx1MeXfDhwBjdbKwD3A/california_privacy_protection_agency_v_superior_court_of_sacramento_county.pdf.}