TheCorporateCounsel.net

In case you missed it, here’s an update on the CCPA from Gibson Dunn:

On June 30, 2023, Sacramento Superior Court Judge James Arguelles held that the California Privacy Protection Agency (CPPA) cannot enforce its regulations issued on March 29, 2023, until March 29, 2024—about nine months later than the date the California Privacy Rights Act (CPRA) permitted enforcement of any provisions added or amended by the law.  This development provides helpful breathing room for businesses seeking to comply.

We non-data privacy people may feel like this is a hurry-up-and-wait-type situation, but the alert says: “It is important to note that this reprieve only exists for the new regulations issued under the CPRA on March 29, 2023, not all aspects of the CPRA.”  Wait, CCPA? CPRA? CPPA? California’s privacy laws — and the interested parties involved — could compete for ESG with the number of confusing acronyms flying around. Luckily, the article gives a summary of the saga and reminds us what they all mean:

An advocacy group, Californians for Consumer Privacy, began collecting signatures and by 2018, was in position to successfully submit a ballot initiative for consideration by California voters in the November 2018 election titled the “California Consumer Privacy Act,” or CCPA.  State legislators negotiated a compromise with key stakeholders, including Californians for Consumer Privacy, and enacted a last-minute compromise draft through the legislative process in exchange for pulling the initiative off of the November 2018 ballot. The state legislature passed the California Consumer Privacy Act (CCPA) as AB 375 and it was signed into law on June 28, 2018, with provisions becoming operative January 1, 2020.

After the passage of the CCPA, but even before it came into effect, Californians for Consumer Privacy remained dissatisfied with the state of California privacy law and began a second ballot initiative, the California Privacy Rights Act (CPRA).  Voters approved the initiative in November 2020.  The CPRA amended the CCPA by, among other things, adding additional consumer rights, including the right to correct inaccurate personal information, the right to opt out of certain “sharing” of data (rather than just the right to opt out of “sale” of data), and the right to limit the use and disclosure of sensitive personal information.

The CPRA also created the California Privacy Protection Agency (CPPA) and charged it with promulgating final regulations under the law and, along with the Attorney General, enforcing the law and those regulations.  The CPRA specified that “[t]he timeline for adopting final regulations required by the act … shall be July 1, 2022” and “[n]otwithstanding any other law, civil and administrative enforcement … shall not commence until July 1, 2023[.]”

The CPPA, however, failed to finalize regulations by July 1, 2022, and businesses seeking to comply with the new requirements were left to wonder about both the ultimate content of the regulations and their potential enforcement exposure and liability.  On March 29, 2023, nine months after the deadline, the CPPA issued final regulations relating to twelve of the fifteen topics contemplated by the CPRA—leaving businesses just three months to comply.

This decision was the result of a lawsuit by the California Chamber of Commerce. You’ll have to see the Gibson Dunn article or talk to your data privacy people to understand which regulations were delayed, but I hope this primer made those conversations more comprehensible!

Speaking of, state developments in data privacy regulations have been keeping us busy posting materials on this site. Our “Cybersecurity/Privacy Rights/Security Breaches/Data Governance” Practice Area has lots of related resources.

– Meredith Ervine