Covered entities under the California Consumer Privacy Act are finally set to face fresh requirements under previously suspended rules drafted by the California Privacy Protection Agency. The California 3rd District Court of Appeals ruled in a 3-0 decision to allow the CPPA to immediately begin enforcing its first set of California Privacy Rights Act regulations following a prior court-ordered delay.
The CPRA rules concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns and consumer request handling were initially set to be enforced 1 July 2023. The Sacramento County Superior Court ruled 30 June 2023 in favor of a complaint filed by the California Chamber of Commerce to delay rules enforcement 29 March.
Third District Court of Appeals Associate Justice Elena Duarte wrote in the reversal decision the imposed delay "would disregard the unambiguous (CPRA) provision" staking the start of rules enforcement to 1 July 2023. She added, "The voters intended to strengthen and protect consumers' privacy rights regarding the collection and use (including sale) of their personal information."
The initial decision by Sacramento County Superior Court Judge James Arguelles focused on the grace period between rules finalization, as he wrote voters "intended there to be a gap." The CPRA rules in question were only finalized 30 March 2023, which left less time to prepare for enforcement than the six-month ramp-up period provided under the statute.
"We are pleased with the decision. This ruling ensures all aspects of the regulations adopted by the California Privacy Protection Agency last year are again enforceable, just as the voters intended when they enacted Proposition 24," CPPA Executive Director Ashkan Soltani said in an agency press statement on the appellate court ruling.
The appellate decision also has implications on future rulemaking efforts by the CPPA, allowing for enforcement of future regulations upon their finalization. The agency is currently working through its next rulemaking initiative concerning cybersecurity audits, risk assessments and automated decision-making technologies.
While the rules will be enforced immediately, the CPPA embedded a potential discretionary enforcement reprieve in its first CPRA rulemaking while recognizing the shorter-than-expected grace period for covered entities. A rule was drafted to allow the CPPA to "consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements."
It's unclear whether the CPPA will provide any sort of leeway given businesses have had nearly 11 months since the rules were finalized to adjust or improve their data practices according to the statute.
"The California voters didn't intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here," CPPA Deputy Director of Enforcement Michael Macko said in the agency's statement. "This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations."
CCPA enforcement has yet to produce many notable actions besides a USD1.2 million settlement against multinational retailer Sephora over alleged "Do Not Sell" violations. In other instances, the CPPA and the California attorney general's office have conducted enforcement sweeps and served cure notices.
The lift on enforcement will undoubtedly bring increased activity, particularly in the advertising technology space as many of the rules that will be enforced relate to targeted advertising and consent around how those ads are produced and served.
"California has set the bar with a very simple 'flip of the switch' Global Privacy Control," Digital Content Next CEO Jason Kint said. "Google and Meta's proxies are now out of runway to slow down enforcement and must finally meet the letter and spirit of the law — allowing the public to opt out of their data being shared across the web. And switching away from Chrome to Brave or Firefox is now a no-brainer as Google continues to drag out removal of tracking cookies."