Covered entities under the California Consumer Privacy Act are finally set to face fresh requirements under previously suspended rules drafted by the California Privacy Protection Agency. The California 3rd District Court of Appeals ruled in a 3-0 decision to allow the CPPA to immediately begin enforcing its first set of California Privacy Rights Act regulations following a prior court-ordered delay.

The CPRA rules concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling were initially set to be enforced 1 July 2023. The Sacramento County Superior Court ruled 30 June 2023 in favor of a decision the imposed delay "would disregard the unambiguous (CPRA) provision" staking the start of rules enforcement to 1 July 2023. She added, "The voters intended to strengthen and protect consumers' privacy rights regarding the collection and use (including sale) of their personal information."

The initial decision by Sacramento County Superior Court Judge James Arguelles focused on the grace period between rules finalization, as he wrote voters "intended there to be a gap." The CPRA rules in question were only finalized 30 March 2023, which left less time to prepare for enforcement than the six-month ramp-up period provided under the statute.

"We are pleased with the decision. This ruling ensures all aspects of the regulations adopted by the California Privacy Protection Agency last year are again enforceable, just as the voters intended when they enacted Proposition 24," CPPA Executive Director Ashkan Soltani said in an agency press statement on the appellate court ruling.

The appellate decision also has implications on future rulemaking efforts by the CPPA, allowing for enforcement of future regulations upon their finalization. The agency is currently working through its next cybersecurity audits, risk assessments and

It's unclear whether the CPPA will provide any sort of leeway given businesses have had nearly 11 months since the rules were finalized to adjust or improve their data practices according to the statute.

"The California voters didn't intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here," CPPA Deputy Director of Enforcement Michael Macko said in the agency's statement. "This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations."

CCPA enforcement has yet to produce many notable actions besides a USD1.2 million cure notices.

The lift on enforcement will undoubtedly bring increased activity, particularly in the advertising technology space as many of the rules that will be enforced relate to targeted advertising and consent around how those ads are produced and served.

"California has set the bar with a very simple 'flip of the switch'