July 6, 2023

Click for PDF

On June 30, 2023, Sacramento Superior Court Judge James Arguelles held that the California Privacy Protection Agency (CPPA) cannot enforce its Regulations issued on March 29, 2023, until March 29, 2024—about nine months later than the date the California Privacy Rights Act (CPRA) permitted enforcement of any provisions added or amended by the law.[1]  This development provides helpful breathing room for businesses seeking to comply.  It is important to note that this reprieve only exists for the new regulations issued under the CPRA on March 29, 2023, not all aspects of the CPRA, as explained below.

Delay Begets Delay

The saga of the CCPA, which ultimately led to the California privacy regulations saga, began in 2017.  An advocacy group, Californians for Consumer Privacy, began collecting signatures and by 2018, was in position to successfully submit a ballot initiative for consideration by California voters in the November 2018 election titled the “California Consumer Privacy Act,” or CCPA.  State legislators negotiated a compromise with key stakeholders, including Californians for Consumer Privacy, and enacted a last-minute compromise draft through the legislative process in exchange for pulling the initiative off of the November 2018 ballot.[2]  The state legislature passed the California Consumer Privacy Act (CCPA) as AB 375 and it was signed into law on June 28, 2018, with provisions becoming operative January 1, 2020.

After the passage of the CCPA, but even before it came into effect, Californians for Consumer Privacy remained dissatisfied with the state of California privacy law and began a second ballot initiative, the California Privacy Rights Act (CPRA).  Voters approved the initiative (Proposition 24) in November 2020.  The CPRA amended the CCPA by, among other things, adding additional consumer rights, including the right to correct inaccurate personal information, the right to opt out of certain “sharing” of data (rather than just the right to opt out of “sale” of data), and the right to limit the use and disclosure of sensitive personal information.

The CPRA also created the California Privacy Protection Agency (CPPA) and charged it with promulgating final regulations under the law and, along with the Attorney General, enforcing the law and those regulations.  The CPRA specified that “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022” and “[n]otwithstanding any other law, civil and administrative enforcement … shall not commence until July 1, 2023[.]”[3]

The CPPA, however, failed to finalize regulations by July 1, 2022, and businesses seeking to comply with the new requirements were left to wonder about both the ultimate content of the regulations and their potential enforcement exposure and liability.  On March 29, 2023, nine months after the deadline, the CPPA issued final regulations relating to twelve of the fifteen topics contemplated by the CPRA—leaving businesses just three months to comply.  Today, there are still no regulations concerning three key elements of the CPRA, that the CPPA is tasked with tackling, namely cybersecurity audits, risk assessments, and automated decision-making technology.[4]  Further, the CPPA has publicly discussed other specific topics of consideration that it intends to address (on a much longer timeline), including employment-related data issues, and social media API access.  The CPPA has not indicated a clear timeline to promulgate regulations or enforce the law in any of the remaining  areas, despite consideration that certain of them are more difficult than others, and undergoing a diligence process.[5]

The Chamber of Commerce’s Lawsuit

The California Chamber of Commerce sued, seeking a delay of the CPRA for a period of one year after all required regulations were issued.[6]

Following a hearing on June 30, 2023, the California Superior Court, Sacramento County issued a Minute Order considering this request, applying rules of statutory interpretation to determine the voters’ intent in passing the CPRA and the appropriate resultant timeline for enforcement.[7]  The court held that “the plain language of the statute indicates the [CPPA] was required to have final regulations in place by July 1, 2022” and “the [CPPA] should be prohibited from enforcing the Act on July 1, 2023 when it failed to pass final regulations by the July 1, 2022 deadline.”[8]  “The very inclusion of [the timeline prescribed by subdivision (d)] indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.”[9]  The court also disagreed with the CPPA’s argument that the delayed regulations did not prejudice businesses seeking to comply with the law.[10]

Yet the court did not agree that enforcement of the entire regulatory scheme should be delayed.  “[T]he Court agrees with the [CPPA] that delaying the [CPPA]’s ability to enforce any violation of the Act for 12 months after the last regulation in a single area has been implemented would likewise thwart the voters’ intent to protect the privacy of Californians as contemplated by Proposition 24.”[11]

The court struck a balance between the Chamber’s and the CPPA’s arguments, allowing enforcement of the regulations on a piecemeal basis, one year after they are finalized:  “the Court hereby stays the Agency’s enforcement of any Agency regulation implemented pursuant to Subdivision (d) for 12 months after that individual regulation is implemented.”[12]  “By way of example, if an Agency regulation passes regarding Section 1798.185 subdivision (a), subsection (16) (requiring the Agency issue regulations governing automated decision-making technology) on October 1, 2023, the Agency will be prohibited from enforcing a violation of said regulation until October 1, 2024.  The Agency may begin enforcing those regulations that became final on March 29, 2023 on March 29, 2024.”[13]

The order is good news for businesses subject to the law, which will have an extra nine months to comply with the CPRA regulations that were finalized on March 29, 2023.  The order also provides a clear timeline for enforcement of forthcoming CPRA regulations, including in the three areas mentioned above.  The CPRA is only permitted to enforce these new regulations twelve months after they have been finalized by the Office of Administrative Law.

Other California Privacy Regulations—and the Underlying Laws—Are in Force

It is important to note that the court’s ruling focuses regulations promulgated under the CPRA.  To the extent the statutory basis for existing CCPA regulations remained unchanged by the CPRA, those regulations may continue to be enforced. In addition, to the extent the CPPA intends to bring enforcement actions for a business’s failure to comply with requirements set out in the CPRA’s statutory text, itself, the court’s ruling is not likely to prevent it from doing so. But enforcement may be muddied by questions as to whether any compliance failures are the result of actual non-compliance or whether they were caused by a good-faith misunderstanding based on lack of insights from the regulations.  In any case, the CPPA remains able to bring enforcement actions for failure to comply with provisions of the CCPA that were left unamended when the CPRA was enacted.

Viewed through that lens, though the ruling provides relief for businesses rushing to comply with the delayed CPRA regulations, the impact of the court’s ruling may be considered  somewhat limited:  only enforcement of the March 29, 2023 regulations are delayed until March 29, 2024 (and enforcement of any forthcoming regulations will begin one year after they are finalized).  Enforceable regulations concern a host of topics relating to the seven core consumer rights under the CCPA and related topics.[14]

The CPPA May Continue the Fight

The CPPA may appeal the Superior Court order.  The default California rules provide an automatic stay of trial court proceedings and of enforcement of the Superior Court’s order.[15]  This means that the Superior Court’s order to delay the enforcement of the CPRA regulations could be put on pause.  If that happens, the CPPA’s regulations could be enforceable, pending the CPPA’s appeal.  If appealed, the Chamber could seek to maintain the status quo of the Superior Court’s order, allowing the delay of enforcement of the CPRA regulations to continue.  In assessing such a request, the Court of Appeal would balance hardships and benefits, likely weighing the public’s and state’s interests in earlier enforcement of privacy regulations against the interests of businesses in having the time that voters’ prescribed to comply with the law.[16]

The CPPA Will Speak

The CPPA has scheduled a public meeting for July 14, 2023.  The proposed agenda confirms that the CPPA Board will publicly discuss key updates, including enforcement.  In addition, “the Board will meet in closed session to confer and receive advice from legal counsel regarding” the Chamber lawsuit.[17]  We will continue to monitor the development of the CPPA, CCPA, CPRA, and other notable state privacy laws and regulations.

__________________________

[1] California Chamber Of Commerce vs. California Privacy Protection Agency (June 30, 2023) 34-2023-80004106-CU-WM-GDS (J. Arguelles order); Cal. Civ. Code § 1798.185, subd. (d) (“Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.”).

[2] The California legislature generally cannot repeal voter initiatives, once passed.  These compromises are a common way for the legislature to refine voter initiatives.  California Constitution, Article II, Section 10 (c); California Election Code, Section 9034.

[3] Cal. Civ. Code § 1798.185, subd. (d).

[4] Id. § 1798.185, subd. (a).

[5] The CPPA has invited and received pre-rulemaking comments on the three remaining topics.  California Privacy Protection Agency, Preliminary Rulemaking Activities on Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking (Feb. 10, 2023), available at https://cppa.ca.gov/regulations/pre_rulemaking_activities_pr_02-2023.html

[6] California Chamber of Commerce vs. California Privacy Protection Agency (March 30, 2023) 34-2023-80004106-CU-WM-GDS (complaint).

[7] Order at 3-5.

[8] Id. at 4.

[9] Id.

[10]  Id. at 5.

[11] Id. at 4-5.

[12] Id.

[13] Id.

[14] For additional reading concerning the scope of the enforceable regulations, please review our Privacy, Cybersecurity and Data Innovation Practice Group’s publications.

[15] Cal. Cod Civ. Proc. § 916.  The Superior Court’s order proceeded on the Chamber’s petition for writ of mandate (dismissing other causes of action for declaratory and injunctive relief as moot).  Order at 5.  In traditional mandamus, perfecting appeal automatically stays effect of the writ.  Johnston v. Jones (1925) 74 Cal.App. 272; Cal. Code Civ. Proc. § 1094.5.

[16] See Building Code Action v. Energy Resources Conservation & Dev. Com. (1979) 88 Cal.App.3d 913, 922.

[17] California Privacy Protection Agency Board, Meeting Notice and Agenda (June, 30, 2023), available at https://www.cppa.ca.gov/meetings/agendas/20230714.pdf.

The following Gibson Dunn lawyers assisted in preparing this alert: Cassandra Gaedt-Sheckter, Jane Horvath, Vivek Mohan, Eric Vandevelde, Benjamin Wagner, Christopher Rosina, and Tony Bedel.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Jane C. Horvath – Co-Chair, PCDI Practice, Washington, D.C. (+1 202-955-8505, [email protected])
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202-955-8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, [email protected])
Lauren R. Goldman – New York (+1 212-351-2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
Vivek Mohan – Palo Alto (+1 650-849-5345, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Rosemarie T. Ring – San Francisco (+1 415-393-8247, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44(0) 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])

Asia
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.