Enforcement of the California Privacy Rights Act (CPRA)—a stiffening of the existing privacy laws under the California Consumer Privacy Act (CCPA)—has been delayed until March 29, 2024. A California judge made the decision just as the original July 1, 2023, deadline was to hit.
"While this delay may be welcome news for businesses subject to the California Consumer Privacy Act (#CCPA), it is no reason to delay privacy compliance initiatives as a slew of other states have laws set to take effect in the coming months/years," Kara Hilburger, Senior Counsel at Octillo, said in a LinkedIn post this morning. "Additionally, the March 29, 2023, regulations are the ones that are being delayed. Compliance with the original CCPA still applies and changes that took effect in January, such as the expiration of the employee data exemption, are still in play."
In a blog post on JD Supra, Fisher Phillips breaks down "how we got here," including:
- In 2020, the California voters passed the CPRA by ballot initiative.
- The California Privacy Protection Agency (CPPA), which is responsible for drafting the regulations, was unable to complete its rulemaking process by the July 1, 2022, deadline and finalized the regulations on March 29, 2023—nine months late.
- The very next day, the California Chamber of Commerce filed a lawsuit seeking to delay enforcement of the regulations. The Chamber sought to delay enforcement of the entire CPRA until one year after all regulations were completed.
- Friday afternoon, a Sacramento Superior Court granted the Chamber's request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024. The Court further ruled that any future regulations passed by the CPPA would likewise have a one-year delay from when they were enacted.
Glenn Kapetansky, CSO at Trexin and speaker for SecureWorld conferences, had this to say:
"Although the 9-month delay (so far) of CPRA takes some pressure off of companies with California consumers, it is only temporary. The move toward GDPR-like privacy protection for consumers is progressing in other states (e.g. NY DFS), as well, and companies faced with this mosaic of state privacy regulations are best advised to continue their compliance efforts as table stakes for continuing to do business across all states."
More from the JD Supra blog post:
"Businesses should take a look at how they are prioritizing various components of CPRA compliance. With the delay of enforcement of the regulations, priority should to:
- Focus on ensuring compliance with the requirements that are enforceable today;
- Review the March 29, 2023 regulations and understand how they will affect your current practices;
- Finalize an approach and the action items you will take towards compliance with the regulations;
- Ensure the business and those involved with CCPA compliance understand the obligations and what's ahead.
There are several components to compliance with the CCPA—affecting multiple business units with operational considerations to make. Becoming compliant can be a lengthy process so businesses should make sure to take advantage of this time to get fully compliant without delay."
Here's more information about California's Attorney General cracking down on compliance with the CCPA.
