On June 30, 2023, a Superior Court of California (County of Sacramento, case number 34-2023-80004106-CU-WM-GDS) held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations cannot commence until one year after the finalized date of the regulations. However, the court declined to delay the CPPA’s ability to enforce violations of the underlying ballot initiative.
As background, the California Privacy Rights Act (“CPRA”) amended the California Consumer Privacy Act (“CCPA”) and, among other things, established the CPPA and mandated the CPPA issue regulations. The CPPA finalized its first rulemaking package on March 29, 2023 and has ongoing rulemaking activities focused on cybersecurity audits, risk assessments, and automated decisionmaking. Because of the order, the CPPA cannot enforce the regulations it finalized on March 29, 2023 until March 29, 2024, although it appears to be able to enforce the underlying provisions of the CCPA, as amended by the CPRA.
Any future regulations must be final for one year before enforcement (e.g., if the CPPA finalizes regulations relating to cybersecurity audits on October 1, 2023, the CPPA cannot enforce these regulations until October 1, 2024). As of this blog post, we are not aware of the CPPA appealing the court’s order, although the CPPA is scheduled to discuss enforcement priorities at a Board meeting scheduled for July 14, 2023.