On February 9, 2024, the California Court of Appeal's ruling reinstates the California Privacy Protection Agency's enforcement authority, affecting finalized regulations that are now free from enforcement delays. Future regulations currently in progress are expected to move forward without delay once completed. Ongoing legal battles over enforcement are anticipated, particularly as the California Chamber of Commerce pursues review by the California Supreme Court.
In late June 2023, employers celebrated a significant victory when a Sacramento trial court temporarily halted the enforcement of the final regulations under the California Privacy Rights Act (CPRA), the sole comprehensive state data protection law among the 14 recently enacted ones that pertains to human resources information. This extended reprieve was cut short on February 9, 2024, as the California Court of Appeal dismissed the lower court's injunction, immediately reinstating enforcement powers to the California Privacy Protection Agency (the 'Agency').
This decision also affects the enforcement of forthcoming regulations concerning cybersecurity audits, risk assessments, and automated decision-making technology, as the appellate court rejected the Sacramento trial court's one-year stay on future enforcement. Consequently, employers who had been anticipating a completion deadline of March 29, 2024, for their CPRA compliance work are now urged to expedite their efforts. Additionally, they should closely follow the rulemaking progress for the three sets of pending regulations.
This post provides an overview of the ruling, its implications for employers, and updates on the status of the three forthcoming sets of regulations.
Leading to the Court's Decision
The California Privacy Rights Act (CPRA) expanded the reach of the California Consumer Privacy Act to include the personal data of California job applicants, employees, independent contractors, and emergency contacts. Among its provisions, the CPRA established the California Privacy Protection Agency and mandated the adoption of final implementing regulations across various topics by July 1, 2022, with enforcement slated to begin a year later, on July 1, 2023. However, the Agency missed the statutory deadline of July 1, 2022. It wasn't until March 29, 2023, that the Office of Administrative Law finally approved the last regulations. Even then, only some of the subject matters had finalized regulations. Nevertheless, the Agency aimed to enforce CPRA regulations in the areas that had been finalized starting July 1, 2023.
In response, the California Chamber of Commerce sued the Agency, seeking an order compelling the Agency to finalize regulations on all remaining subject matters and asking for a one-year stay on enforcement from the date of adoption. On June 30, 2023, the Sacramento trial court declined to mandate when the Agency must finalize the pending regulations, but ordered a 12-month stay on enforcement of the final regulations, reasoning that immediate enforcement should be prohibited because the Agency had failed to implement final regulations by the statutory deadline, and the one-year grace period in the CPRA was intended to give businesses sufficient time after finalization of the regulations to comply.3 The decision also applied to the three sets of upcoming regulations – cybersecurity audits, risk assessments, and automated decision-making technology – requiring a one-year delay in enforcement from the date those regulations will have been finalized.
The Agency filed a petition to the appellate court for extraordinary writ of mandate, arguing that that the CPRA did not expressly link enforcement of the law with the implementation of final regulations.
Appellate Court Restores the Agency's Enforcement Authority
In its ruling on February 9, 2024, the California Court of Appeal issued a peremptory writ of mandate, lifting the enforcement stay effective upon the court's order filing. The court determined that neither the CPRA's language nor any interpretative guidance suggested that the one-year gap between the July 1, 2022 deadline for final regulations and the July 1, 2023 enforcement start date was intended as a grace period for businesses to achieve compliance. Therefore, the trial court had no grounds to effectively modify the statute's plain language allowing enforcement to commence on July 1, 2023. Interestingly, the Court of Appeal instructed the trial court to reconsider the necessity of expediting the development of the remaining regulations—a matter the trial court had previously declined to address.
Typically, decisions in writ proceedings become final 30 days after the filing date. However, in this instance, the appellate court decreed immediate finality of its ruling, rendering it effective upon filing on February 9, 2024, and eliminating any potential further delays on the Agency's enforcement authority.
While enforcement powers are promptly reinstated, the Agency retains the discretion to acknowledge that businesses had less than a full year to achieve compliance. The Court of Appeal emphasized a provision within the final CPRA regulations, granting the Agency the authority to 'consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.'
Nevertheless, the Agency has expressed its readiness to commence enforcement. Following the ruling, the Agency released a statement affirming that its 'enforcement team stands ready to take it from here.'
Important Points to Note
While additional legal challenges may be forthcoming, the recent ruling from the Court of Appeal and the Agency's public announcement indicate that CPRA enforcement is now imminent. Employers who have not finished their CPRA compliance tasks should hasten their efforts.
Furthermore, it's probable that future regulations will take effect immediately upon finalization, without any grace period. Employers should stay vigilant, keeping an eye on the ongoing legal proceedings and the Agency's intricate process of rule-making. This includes upcoming regulations on cybersecurity audits, risk assessments, and ADM guidelines, as well as potential amendments to the already finalized CPRA regulations.
Comments