CPRA Regulations Delayed. On June 29, 2023, two days before enforcement of the California Consumer Privacy Act (CCPA) was to begin, a Sacramento Superior Court issued a temporary injunction, enjoining enforcement of newly promulgated regulations under the California Privacy Rights Act (CPRA), which amended the CCPA earlier this year. The new regulations were promulgated and purportedly went into effect on March 29, 2023. Specifically, the court enjoined enforcement of these final CPRA regulations, which will be stayed for a period of 12 months from the date that individual regulation becomes final. The court declined to mandate any specific date to finalize the remaining regulations.

CPRA Regulations Addressing 12 of 15 Areas Effective March 29, 2024; Final Three Areas Not Effective for Over a Year. While the CPRA stated that “the timeline for adopting final regulations required by the [CPRA] shall be July 1, 2022,” the agency did not issue final regulations until March 29, 2023 (Cal. Civ. Code § 1798.185(d)). Yet, the CPRA establishes a minimum of one year between promulgation of final regulations and regulation enforcement. Moreover, the final regulations issued on March 29, 2023 only pertained to 14 of the 22 areas outlined in the CPRA (such as updating definitions, establishing rules to govern opt-outs, and further defining and adding to business purposes)[1]. These 14 will become effective March 29, 2024. The agency is currently conducting preliminary rulemaking on the remaining three areas (i.e., cybersecurity audits, risk assessments, and automated decision-making), and these final regulations will not become effective until 12 months following publication.

CPRA Enforcements Still Starting on July 1, 2023 (But Not on Regulations Requirements). In its decision, the court cited language from the CPRA that enforcement of the regulations would not begin until July 1, 2023. Therefore, the court agreed “the very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of these regulations.”

Immediately Beginning CPRA Good Faith Compliance. While the court’s decision offers a temporary respite from any last-minute compliance efforts, companies should continue to strive for compliance with the regulations since the agency’s decision to pursue an investigation into CPRA violations will be based on “all facts it determines to be relevant, including … good-faith efforts to comply with those requirements.” For CPRA/CCPA compliance resources and best practices, see our two webinars on the topic, How to Navigate the Rush of New State Privacy Laws and Navigating the Critical Differences Between the CCPA and CPRA; and our five-part California Privacy Rights Act Series, published in the California Daily Journal.

As always, Troutman Pepper’s Privacy + Cyber Practice stands ready to assist with U.S. state/federal and global privacy/security compliance, including developing policies and procedures for companies with CCPA/CPRA and other U.S. state comprehensive privacy laws.

Please contact Jim Koenig, Ron Raether, Kim Phan, Sadia Mirza, Joel Lutz, Laura Hamady, Robyn Lin, or any member of our Privacy + Cyber Practice Group with questions.


[1] The rulemaking touched on the following topics: (1) defining notified purposes for which a consumer can collect, use, retain, and share consumer personal information, (2) establishing rules, procedures, and any exceptions to notice requirements, (3) establishing rules and procedures to facilitate and govern submission of a consumer’s request to opt-out of sale/sharing and requests to limit use and disclosure of sensitive personal information, (4) establishing rules and procedures for facilitating a consumer’s right to delete, correct, or obtain personal information, (5) establishing rules on how often and under what circumstances a consumer can request a correction, (6) establishing procedures to extend the 12-month period of disclosure of information, (7) defining requirements and specifications for an opt-out preference signal, (8) establishing regulations governing how business respond to an opt-out signal, (9) establishing rules governing use or disclosure of sensitive personal information, (10) defining and adding to business purposes, (11) identifying business purposes for which service providers may use consumers’ personal information pursuant to a written contract, (12) establishing procedures for filing complaints with the CPPA, (13) defining scope and process for the exercise of the CPPA’s audit authority, and (14) harmonizing regulations.


*Laura Hamady, a senior privacy and security advisor at Troutman Pepper and not admitted to practice law in any jurisdiction, contributed to this article.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of James Koenig James Koenig

Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Joel Lutz Joel Lutz

Joel is a privacy and data protection attorney with extensive experience designing and implementing global privacy programs, including 19 years of in-house and law firm experience.

Photo of Laura Hamady Laura Hamady

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of…

Laura serves as counsel in the firm’s Privacy + Cyber practice. She brings more than 15 years of experience in privacy and cybersecurity related matters. Laura is an industry-experienced privacy leader and has served in senior privacy leadership positions at a variety of large companies across various industry spaces, including Twitter, Visa, PayPal, Chronicle (a Google company), Groupon, Levi’s Takeda Pharmaceuticals, and more.