California Privacy Protection Agency to Begin Enforcement Activities

02.20.2024
Nossaman eAlert

After a successful appeal of a June ruling, the California Privacy Protection Agency (CPPA) is authorized to begin immediate enforcement of privacy regulations developed, and expanded, under the California Privacy Rights Act of 2020 (CPRA). Any company that has been relying on the nine-month enforcement delay is now required to implement the polices and regulations required by the CPRA to avoid penalization by the CPPA.

History

In the fall of 2020, California voters passed CPRA that created the CPPA, a newly established agency set out to implement and enforce new privacy consumer protections. The agency intended to adopt its final regulations by July 1, 2022, with enforcement to begin on July 1, 2023.

On June 30, 2023, the California Chambers of Commerce (“the Chambers”) successfully challenged the CPPA’s ability to enforce twelve privacy regulations until a year after the CPPA finalized them, which would not have been until March 29, 2024. The Chambers argued to the lower court that a full year was necessary, and required by the CPRA, for companies to comply with the newly adopted regulations.

Overturning

On February 9, 2024, the California Third Appellate District court vacated the June 30 ruling, requiring companies to immediately comply with the twelve CPRA regulations the agency has finalized. Given the contested March 29 date approaching, it is unlikely that the Chambers will seek further review. The finality of the appellate court’s reversal allows the CPPA to immediately begin issuing fines ranging from $2,500 to $7,500 per violation of any regulation.

Enforceable Regulations

The areas of regulation that the CPPA is now authorized to enforce include but are not limited to:

  • Required Disclosures to Consumers;
  • Business Practices for Handling Consumer Requests; and
  • Rules Regarding Consumers Under 16 Years of Age.

What’s Next

The CPPA is set to finalize regulations in the areas of risk assessments, cybersecurity audits and automated decision-making technology. Once the CPPA finalizes these regulations, the appellate court’s reversal allows for immediate enforcement, rather than having to wait an additional twelve months as the lower court previously held.

Businesses should be up to date with all CPRA requirements and regulations to avoid the CPPA issuing them any violations. By updating any newly restricted practices or policies now rather than later, companies will not be blindsided by the CPPA’s finalization of the remaining areas of regulation. Michael Macko, Deputy Director of Enforcement for the CPPA, explained clearly, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

Twitter/X Facebook LinkedIn PDF
Jump to Page

Nossaman LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek