CPPA appeals enforcement delay

The California Privacy Protection Agency (CPPA) recently lost a case at the Sacramento Superior Court that delayed the agency’s ability to enforce its first batch of regulations by around nine months.

The decision provoked a sigh of relief among some unprepared businesses. But the CPPA announced has announced an appeal of the decision that could mean that the regulations kick in earlier than expected.

As the uncertainty around the enforcement of the CPPA’s new regulations continues, this article considers whether the CPPA could win in court and explores how businesses should respond to news of the appeal.

The case against the CPPA

Californians voted “yes” to Proposition 24 in November 2020, passing the California Privacy Rights Act (CPRA) – a substantial set of amendments to the California Privacy Protection Act (CCPA).

As well as introducing new obligations on businesses and expanding Californians’ consumer rights, the CPRA established the CPPA – the first dedicated privacy regulator in the US.

The CPPA was empowered to perform several functions, including promoting privacy awareness, enforcing the CCPA, and promulgating a set of rules we’ll call the CPRA Regulations.

The law stated that the “timeline for adopting final regulations” would be 1 July 2022 and that the regulations would “not commence” (i.e., be enforceable) until 1 July 2023.

Late homework

The CPPA did not finalize its regulations until 29 March 2023 – almost 10 months later than expected. Planned rules about cybersecurity audits, risk assessments, and automated decision-making have still yet to be published by the agency.

But despite its tardiness, the CPPA said that it still intended to enforce its finalized regulations from the original date of 1 July 2023.

This decision meant businesses only had around two months to adapt to the new rules, rather than the 12 months that most had expected.

CalChamber’s case

Unhappy with the short notice, the California Chamber of Commerce (CalChamber) took the CPPA to court.

“The CPPA did not meet the voter-imposed deadline to adopt regulations,” said the industry association’s president, Jennifer Barrera. “In approving Proposition 24, the voters provided a one-year period for businesses to adjust their practices and comply with the law.”

The court sided with CalChamber, pushing back enforcement to 29 March 2024—12 months after the date that the CPPA published its final set of rules.

The court made clear that the CPPA could still enforce the original set of CCPA Regulations, which were issued by the California Attorney General and took effect in August 2020, with amendments in March 2021.

The agency can also enforce the CCPA itself, including the sections added or amended by the CPRA. The California Attorney General retains its powers to enforce the law alongside the agency.

The CPPA’s defense

The CPPA and the California Attorney General filed an appeal of the Superior Court’s decision at the California Third District Court of Appeal on 4 August 2023.

“…granting CalChamber’s request to delay enforcement of portions of the regulations hurts not only consumers, but also those businesses that have operated in good faith to implement the protections required by the regulations,” said the CPPA’s general counsel, Philip Laird.

In its unsuccessful defense at the Superior Court, the agency argued that the CCPA’s phrasing was ambiguous. The law’s reference to a 1 July, 2022 “timeline” did not necessarily mean a 1 July, 2022 “deadline”, the CPPA claimed.

Judge James P Arguelles was not persuaded by this argument, finding that the obvious interpretation of “timeline” was indeed “deadline”—and that Californians did in fact vote to give businesses 12 months to prepare for enforcement of the regulations, rather than two.

The court was also unconvinced that certain businesses would be disadvantaged by an enforcement delay—and found that consumers would not be significantly adversely impacted, given the CPPA still had plenty of other rules to enforce until next March.

Will the CPPA win?

The CPPA has not released a copy of its petition to the Third District Court of Appeal, but public statements about the case do not reveal any new arguments or evidence that would strengthen the agency’s case.

Persuading the appeal court that the lower court erred on the law could be difficult. As Judge Arguelles noted in his judgment—following the CPPA’s logic, the agency could have finalized its regulations after 1 July and enforced the new rules on the very same day.

The court pointed out that Californians voted on two dates: 1 July 2022 as the “timeline” (deadline) for promulgating regulations, and 1 July 2023 as the commencement date.

“The very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations,” the Superior Court held.

“The Court is not persuaded by the Agency’s argument that it may ignore one date while enforcing the other.

How should businesses respond?

If the CPPA wins its appeal, both the agency and the Attorney General could receive powers to enforce the CPRA Regulations earlier than March 29, 2024.

But while there less than five months have passed since the regulations were finalized, it has been over a year since the publication of the first draft.

Even if the CPPA’s appeal fails, and the enforcement date stays at 29 March 2024, businesses have seven months at most to prepare (at the time of writing).

With important rules on almost every aspect of CCPA compliance, including a detailed list of privacy policy requirements and an obligation to conduct employee privacy training, the CPRA Regulations deserve serious attention as soon as practicable.