Immediately after the regulations were issued, the California Chamber of Commerce filed a lawsuit requesting that enforcement be delayed by one year to provide sufficient time for businesses to come into compliance. The court entered its ruling on Friday, one day before the regulations were scheduled to take effect. In its ruling, the court agreed with the Chamber that the CCPA, as amended, intended for businesses to have a full 12 months to come into compliance. By delaying issuance of the regulations until March 24, 2023, the court said, the agency will not be able to take enforcement action until March 24, 2024.

It is important to note that Friday’s decision affects only the enforcement of the regulations. Other components of the CCPA remain enforceable. But for businesses, the court’s decision may come as a welcome reprieve, giving the them additional time to address the comprehensive compliance requirements, which include updated requirements related to sensitive personal information, employee data, collection and processing of advertising cookies, and updated data subject rights.  

The agency also has yet to promulgate regulations related to risk assessments, audits, and automated decision-making, and so the effective date for these regulations will be one year from the date that they are issued.

The Constangy Cyber Team continues to monitor developments at both the state, national, and international levels related to privacy laws and enforcement. We will continue to review the CCPA enforcement protocols, and their impact on the day-to-day operations of businesses. Follow our blog to stay up to date and learn more.