Judge James P. Arguelles has granted a delay requested by the California Chamber of Commerce, prohibiting any official action on new rules until March of next year. This ruling aims to provide businesses with additional time to comply with the new regulations under the California Privacy Rights Act (CPRA), which were initially scheduled for enforcement starting July 1. Despite the delay, the California Privacy Protection Agency remains committed to its enforcement efforts.
The CPRA, a result of the successful Proposition 24 ballot initiative in 2020, further strengthened consumer privacy laws in California. The court agreed with the California Chamber that the regulations under the CPRA should have been in effect by July 2022, a deadline that the agency missed due to staffing challenges.
Although the court ruling temporarily halts the enforcement of current and future regulations, it does not render the underlying provisions of the CPRA unenforceable. Consumer rights granted by the Privacy Rights Act, such as the right to correct personal information or the right to opt out of data sharing, still stand. However, companies now have more time to ensure compliance with the specific technical details outlined in the agency’s regulations.
See also: California Privacy Rule Enforcement Paused Until March 2024 by Court Order
Disagreements regarding the interpretation of the CPRA may complicate the initial enforcement process. Business groups have argued that the act allows them to use opt-out links or tools like Global Privacy Control to automatically emit opt-out signals, while the agency has maintained that the use of opt-out signals is mandatory. It is crucial for companies to carefully consider the agency’s interpretation and not interpret the delay in regulations as permission to postpone global opt-outs. Compliance with state privacy laws should still be a priority, and companies should adhere to consumer privacy requests even though not every regulation is currently enforceable.
Make hiring a breeze – trust BCG Attorney Search to find the best candidates for your firm.
The court ruling brings relief to businesses planning compliance strategies in areas such as automation, risk assessments, and cybersecurity audits. Due to the ruling, future rulemaking in these areas, which lack detailed statutes like the CPRA, will likely require a one-year implementation period. This allows businesses to have ample time to adjust and integrate these topics into their operations.
The California Privacy Protection Agency continues its enforcement efforts without slowing down, exemplified by the recent hiring of Michael Macko as its enforcement chief. With a background in corporate counsel for Amazon.com Inc. and federal regulatory compliance experience at the Securities and Exchange Commission and the Department of Justice, Macko brings valuable expertise to the agency’s enforcement team. The agency plans to provide its first public update on its enforcement efforts during a meeting on July 14. It is also working on establishing a system for consumers to file privacy complaints, hiring a chief privacy auditor, and preparing for probable cause hearings if necessary.
While the court ruling grants a reprieve from enforcement specifically for the CPRA regulations, companies should not view it as a free pass. The focus of the agency, even during the ongoing hiring process, will be on educating the public and encouraging voluntary compliance. Therefore, businesses must ensure their privacy compliance programs are in place and align with statutory requirements. This delay in enforcement serves as an opportunity for companies to strengthen their compliance practices and be prepared for forthcoming actions from the California Privacy Protection Agency.
Despite the court ruling delaying the enforcement of new regulations under the California Privacy Rights Act, the California Privacy Protection Agency remains dedicated to its mission of protecting consumer privacy. Companies should stay proactive, maintain compliance efforts, and be prepared for future developments in privacy enforcement.
Don’t be a silent ninja! Let us know your thoughts in the comment section below.