The California Privacy Protection Agency (CPPA) was supposed to finalize new privacy regulations last July—but missed its deadline by around nine months.
The new regulations (which we’ll call “the CPRA Regulations”) arrived on 29 March 2023, giving businesses only a couple of months to comply before the intended deadline of 1 July 2023.
But a California court has intervened, pushing the enforcement deadline back to 29 March 2024.
There is a lot of confusion about what this decision means. To clarify matters, we’ve created a timeline that sets out the recent history of California’s privacy efforts—and provided one truth and three falsehoods about the implications of this California court judgment.
The CPPA was formed after the passing of the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA). One of the CPPA’s first tasks was to create the CPRA Regulations, enforcement of which has now been delayed.
This can be a confusing area, particularly with so many acronyms containing the letters “C”, “P”, and “A”.
So here’s a reminder of what’s happened with CCPA lawmaking and rulemaking so far. We’ve split the timeline into three phases to clarify the CCPA’s history further.
Phase 1: Early CCPA activity
Skipping over the initial CCPA proposals and debates, our timeline begins in June 2018.
- June 2018: The CCPA becomes law.
- October 2019: A bill, AB 25, delays enforcement of some of the CCPA’s rules on employees and business-to-business (B2B) processing until January 2021.
- January 2020: The CCPA takes effect.
- September 2020: Another bill, AB 1281, further delays the CCPA’s employee and B2B rules until January 2022.
- August 2020: Initial CCPA Regulations take effect.
That covers California’s early CCPA activity.
Phase 2: Post-Prop 24
The next stage of our timeline starts in November 2020, when California voters approved Proposition 24.
- November 2020: California approves Proposition 24:
- The CPRA becomes law.
- The CPPA is established.
- The CCPA’s employee and B2B rules are delayed again, until January 2023.
- March 2021: Amended CCPA Regulations take effect.
- July 2022: CPPA misses the deadline for promulgating CPRA Regulations.
- August 2022: California Attorney General (AG) reaches first CCPA settlement with Sephora.
So 2022 closed with the first CCPA enforcement activity—but without the planned CPRA Regulations.
Phase 3: 2023
This brings us to 2023. A lot has happened so far this year.
- 1 January 2023:
- CPRA takes effect.
- CCPA employee and B2B rules finally take effect.
- 29 March 2023: CPPA finalises CPRA Regulations, which are intended to take effect on 1 July 2023.
- 30 June 2023: Sacramento court delays enforcement of CPRA Regulations until 29 March 2024.
- July 1 2023: CPPA begins enforcement, but not enforcement of the CPRA Regulations—yet.
True: Enforcement of the new CPRA regulations has been delayed
Despite misleading information remaining present in several important outlets, including on the CPPA’s own website, the CPRA Regulations have been delayed.
This means you will not be penalized for failing to comply with the CPRA Regulations, published in March 2023, until 29 March 2024 at the earliest.
The CPRA Regulations provide detailed requirements in almost every area of CCPA compliance, so this temporary reprieve will be welcomed by many businesses.
False: No CCPA regulations are in force
As noted in our timeline above, California passed an initial set of CCPA Regulations in 2020 and amended them in 2021.
If you’re only considering the actual statute of the CCPA, you’re likely not fully compliant with California privacy law. The initial CCPA Regulations provide detailed instructions on how to meet the CCPA’s requirements.
These regulations are in effect and were cited in the first CCPA settlement last year. The “old” CCPA Regulations remain unaffected by last month’s court decision.
False: CPRA enforcement has been delayed
Although the CPRA Regulations have been delayed, the effective date of the CPRA has not. The CPRA took effect on 1 January 2023, so your compliance program should already account for the new law.
And while the CPPA cannot enforce its new CPRA Regulations yet, as of 1 July, the agency can enforce the CCPA (as amended by the CPRA) itself—and so can the California AG.
False: CCPA B2B and employee exemptions are still in place
From 2018-2020, several California bills delayed most of the CCPA’s B2B and employee rules, pushing this tricky compliance area into many privacy professionals’ “Think About It Later” folder.
The B2B and employee exemptions expired on 1 January 2023. This means your business partners and employees are now “consumers” in most contexts.
In fact, the California AG wrote to California businesses in mid-July, requesting information on their compliance efforts in this new area.
So while the CPRA Regulations have been delayed until next year, all existing California privacy obligations remain—and that should be more than enough to keep compliance teams busy.