The CPRA amended the California Consumer Privacy Act, and required the California Privacy Protection Agency to adopt final regulations by July 1, 2022, with enforcement to begin on July 1, 2023. However, the Agency failed to meet the deadline, and the regulations were not actually adopted until March 29, 2023.

Last June, the Sacramento Superior Court delayed enforcement of the CPRA regulations for 12 months after implementation, agreeing with the California Chamber of Commerce that the year-long delay in enforcement was intended to provide affected businesses with time to become compliant. But in its ruling issued on Friday, the Third District Court of Appeal found that the CPRA unambiguously provides for enforcement to begin on July 1, 2023, and contains no explicit language requiring a delay between the adoption of regulations and enforcement.

The decision creates a new sense of urgency for those companies who were relying on the delayed enforcement deadline to implement policies and practices required by the regulations. The CPRA covers 15 areas, including business purposes and disclosures, opt-out signals, and consumer rights requests. The regulations address 12 of those areas, but the Agency has yet to issue regulations in the areas of risk assessments, cybersecurity audits, and automated decision-making technology.

The Constangy Cyber Team continues to monitor developments at the state, national, and international levels related to privacy laws and enforcement. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.