California state appeals court restores California Privacy Protection Agency's power to enforce regulations
While they would have otherwise been enforceable in about two months anyway, a California state appeals court has ruled that the California Privacy Protection Agency (CPPA) can enforce its regulations issued under the California Privacy Rights Act (CPRA) starting immediately. The decision comes on appeal from a lower court’s stay of enforcement ruling that the intent of the CPRA was that businesses should have one year after the regulations were issued. Businesses that believed they had two more months to comply with the regulations should immediately get policies and procedures in place to comply. The ruling also calls into question how long businesses may have to comply with the next set of regulations yet to be issued, including around automated decision-making and cybersecurity audits or other changes to existing regulations. This ruling suggests they could be enforceable much shorter than one year after final approval.
California’s Third District Court of Appeal has sided with the California Privacy Protection Agency and California Attorney General Rob Bonta in the case of California Privacy Protection Agency v. Superior Court (California Chamber of Commerce).
View referenced article
The court held that the Agency’s authority to enforce its amended regulations should have been effective on July 1, 2023. Today’s decision restores this authority and overturns a lower court decision.
…
In June 2023, a lower court ordered the Agency to stay the enforcement of new and amended regulations that took effect on March 29, 2023, for one year. The order also applied the one-year enforcement stay to proposed regulations still in development by the Agency. The push to delay enforcement of Californians’ privacy rights was brought by the California Chamber of Commerce.