Recent Decision from the California Third District Court of Appeals Sparks Potential Enforcement of Privacy Regulations

The California Privacy Protection Agency (the “Agency”) may start enforcing privacy regulations according to a recent decision from the California Third District Court of Appeal. The privacy regulations at issue stem from the California Privacy Rights Act (“CPRA”), which voters approved in 2020 through Proposition 24. Proposition 24 expanded California’s comprehensive privacy law, the California Consumer Privacy Act (“CCPA”), and created the Agency, which has broad authority to regulate and enforce laws governing privacy-related matters. These privacy regulations describe how businesses must comply with the CPRA. For example, the rules prescribe detailed steps that businesses must follow for effecting a consumer’s right to correct, access or delete personal information and make choices about the selling of personal information and uses of “sensitive” personal information. These regulations went into effect in March 2023 and the Agency was to begin enforcing them in July 2023.

Although the CPRA required the CPPA to finalize rules by July 1, 2022, the agency finalized the rules over half a year later. A day after the first set of regulations went into effect, the California Chamber of Commerce sued the Agency, arguing that businesses lacked adequate time to comply with the regulations, their effective date (March 2023) and enforcement date (July 2023). In June 2023, a trial court agreed with the Chamber and ordered the Agency to stay enforcement of the March 2023 regulations for one year.

In a February 9, 2024 opinion, the appellate court overturned the lower court’s decision, holding that the Agency’s authority to enforce the March 2023 regulations should have been effective on July 1, 2023. The court noted that there is “no ‘explicit and forceful’ language” in the CPRA which “mandat[es] that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations[.]” While the appellate court’s decision advances the enforcement timeline of the initial CPRA regulations by seven weeks, subsequent rulemaking will not be subject to a 12 month waiting period once final regulations are approved. The CPPA is actively formulating regulations for Cybersecurity Audits, Risk Assessments, and Automated Decisions Making.

“The California voters didn’t intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here,” said Michael Macko, Deputy Director of Enforcement for the California Privacy Protection Agency. “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

To avoid enforcement actions, businesses should immediately implement procedures that comply with these latest privacy regulations. The statute and rules apply to employees’ and business contacts’ personal information, in addition to persons traditionally considered to be “consumers.” To learn more about these regulations and the potential implications on your business, please contact Amanda Witt, Meghan Farmer, Ray Aghaian, Samuel Hyams, John Brigagliano or another member of Kilpatrick’s Cybersecurity, Privacy & Data Governance team.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their