California Privacy Protection Agency to Begin Enforcement Activities

Nossaman eAlert

After a successful appeal of a June ruling, the California Privacy Protection Agency (CPPA) is authorized to begin immediate enforcement of privacy regulations developed, and expanded, under the California Privacy Rights Act of 2020 (CPRA). Any company that has been relying on the nine-month enforcement delay is now required to implement the polices and regulations required by the CPRA to avoid penalization by the CPPA.


In the fall of 2020, California voters passed CPRA that created the CPPA, a newly established agency set out to implement and enforce new privacy consumer protections. The agency intended to adopt its final regulations by July 1, 2022, with enforcement to begin on July 1, 2023.

On June 30, 2023, the California Chambers of Commerce (“the Chambers”) successfully challenged the CPPA’s ability to enforce twelve privacy regulations until a year after the CPPA finalized them, which would not have been until March 29, 2024. The Chambers argued to the lower court that a full year was necessary, and required by the CPRA, for companies to comply with the newly adopted regulations.


On February 9, 2024, the California Third Appellate District court vacated the June 30 ruling, requiring companies to immediately comply with the twelve CPRA regulations the agency has finalized. Given the contested March 29 date approaching, it is unlikely that the Chambers will seek further review. The finality of the appellate court’s reversal allows the CPPA to immediately begin issuing fines ranging from $2,500 to $7,500 per violation of any regulation.

Enforceable Regulations

The areas of regulation that the CPPA is now authorized to enforce include but are not limited to:

  • Required Disclosures to Consumers;
  • Business Practices for Handling Consumer Requests; and
  • Rules Regarding Consumers Under 16 Years of Age.

What’s Next

The CPPA is set to finalize regulations in the areas of risk assessments, cybersecurity audits and automated decision-making technology. Once the CPPA finalizes these regulations, the appellate court’s reversal allows for immediate enforcement, rather than having to wait an additional twelve months as the lower court previously held.

Businesses should be up to date with all CPRA requirements and regulations to avoid the CPPA issuing them any violations. By updating any newly restricted practices or policies now rather than later, companies will not be blindsided by the CPPA’s finalization of the remaining areas of regulation. Michael Macko, Deputy Director of Enforcement for the CPPA, explained clearly, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

Twitter/X Facebook LinkedIn PDF


Jump to Page

We use cookies on this website to improve functionality, enhance performance, analyze website traffic and to enable social media features. To learn more, please see our Privacy Policy and our Terms & Conditions for additional detail.