On Friday, June 30, 2023, the Superior Court of California (Sacramento Division) delayed enforcement of regulations under the California Privacy Rights Act of 2020 (“CPRA”) until one year after adoption – or March 29, 2024. The regulations were published by the California Privacy Protection Agency (“Agency”) on March 29, 2023. The court further held that future CPRA regulations also will not be enforceable until one year after adoption.
GROOM INSIGHT: Notably, the delay does not appear to impact the carve-out in the CPRA for health plans and insurers subject to the HIPAA privacy rules or personal information subject to the Gramm-Leach-Bliley Act. So, those carve-outs continue to apply.
In addition, the delay does not address the “employer” exception that was included in the original California Consumer Privacy Act (“CCPA”). That exception sunsetted on December 31, 2022 and remains expired.
As background –
- CCPA – The California legislature first adopted the CCPA in 2018. The CCPA was intended to enhance privacy rights and consumer protections for California residents. The California Department of Justice (“DOJ”) promulgated an initial round of regulations implementing the CCPA on August 14, 2020, which were amended on March 15, 2021.
- CPRA – In November 2020, California voters passed the CPRA (in Proposition 24), which amended the CCPA. On March 29, 2023, the newly-formed Agency issued regulations under the CPRA, which updated the 2020 and 2021 regulations previously published by the DOJ under the CCPA.
The delay adopted by the Superior Court relates only to regulations adopted under the CPRA. The Superior Court specifically states that (emphasis added):
The Petition is granted, in part. Enforcement of any final Agency regulation implemented pursuant to Subdivision (d) will be stayed for a period of 12 months from the date that individual regulation becomes final, as described above. The Court declines to mandate any specific date by which the Agency must finalize regulations. This ruling is intended to apply to the mandatory areas of regulation contemplated by Section 1798.185, subdivision (a). Consistent with the plain language of Section 1798.185, subdivision (d), regulations previously passed pursuant to the CCPA will remain in full force and effect until superseding regulations passed by the Agency become enforceable in accordance with the Court’s Order.
The first set of CPRA regulations were finalized on March 29, 2023, so these regulations will not be enforceable until March 29, 2024 – one year after the date of adoption. Going forward, future CPRA regulations also will not be enforceable until one year after adoption. However, regulations the DOJ adopted in 2020/2021 under the CCPA were not impacted by the Court’s decision.
GROOM INSIGHT: While there may be a little breathing room regarding enforcement of the CPRA under this court order as the California regulators review how to proceed, the overall outcome is that employers and benefit plans that are not subject to the HIPAA or Gramm-Leach-Bliley exceptions still should be working toward compliance, where applicable, since the current CCPA regulations are still enforceable, and the CPRA regulations will be enforceable in March 2024.
Such employers and benefit plans can use this time to review their positions on applicability, take inventory of information subject to these rules, and plan and execute steps for compliance.
Copyright © 2023 Groom Law Group, Chartered. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. With permission, excerpts and links may be used, provided that full and clear credit is given to Groom Law Group, Chartered and www.groom.com with appropriate and specific direction to the original content. For assistance, you may contact us.