New CCPA Regulations Are Now Enforceable: Here’s What You Need To Know

Regulations under the California Consumer Privacy Act (CCPA) are now enforceable after the California Privacy Protection Agency (CPPA) scored a court victory last week.

• The CPPA has finalized regulations across 12 areas of CCPA compliance. Following a court case last year, enforcement of these regulations had been delayed until March 29 2024.
• The decision to delay enforcement was reversed at appeal, meaning the finalized regulations are enforceable now.
• Draft regulations in three further areas—cybersecurity audits, risk assessment, and automated decision-making technology—will be enforceable immediately upon finalization.

What are the CPPA’s regulations?

The CPPA is the first dedicated privacy regulator in the US. It was set up under the California Privacy Rights Act (CPRA) to enforce the CCPA alongside the California Attorney General.

One of the CPPA’s first tasks was to create regulations (also called “rules”) to clarify and interpret CPPA compliance. So far, the CPPA has created regulations covering across 12 important areas, including:

• Privacy policies and other transparency information
• Restrictions on how businesses collect and share personal information
• Consumers’ rights to access, correct, and erase their personal information

The regulations provide detailed requirements on how to comply with the CCPA (as amended by the CPRA) and a violation of the regulations is a violation of the CCPA itself.

What was this court case all about?

First, let’s explain why the CPPA’s regulations were initially delayed.

The CPPA was supposed to finalize regulations in 15 areas by July 1, 2022. The agency would have had the power to enforce the regulations twelve months later, on July 1, 2023.

But when the deadline arrived, the CPPA hadn’t finalized any regulations.

Nine months later, on March 29, 2023, the CPPA finalized regulations covering 12 of the 15 required areas. Regulations in three other areas are still in draft at the time of writing.

Despite this delay, the CPPA wanted to start enforcing its finalized regulations on the original date (July 1, 2023), giving businesses just two months to prepare.

The California Chamber of Commerce sued the CPPA, arguing that the agency should not be allowed to enforce its regulations until 12 months after it had finished creating regulations across all 15 required areas.

Who won?

The Chamber of Commerce partially won at the initial trial.

The court said the CPPA must wait 12 months (until March 29, 2024) before enforcing the regulations it had already finalized. Whenever the remaining regulations were finalized, the CPPA would have to wait another 12 months to enforce those.

But the CPPA appealed, and won. The appeal court decided that the CPPA can enforce its finalized regulations now.

This is not much of a victory for the agency, as it only brings enforcement forward by around six weeks.

But the court also decided that once the CPPA finalizes its draft regulations covering the remaining three areas, they will be enforceable immediately, with no grace period.

What should CCPA-covered businesses do now?

If you’re covered by the CCPA:

• Make sure you’re compliant with the regulations that are now in force, available here. These are enforceable now, and cover 12 areas of CCPA compliance.
• Read, understand, and prepare for the regulations on cybersecurity audits, risk assessments, and automated decision-making technologies, available here. These will be enforceable immediately once finalized and approved, but they might change slightly before finalization.