Last week, a California court released a ruling granting the California Chamber of Commerce’s petition to stay enforcement of the California Privacy Right Act (CPRA) regulations. The petition stems from the failure of the California Privacy Protection Agency (Agency) to adopt final regulations by the statutory deadline (July 1, 2022). Instead, the Agency finalized partial regulations in March 2023 and is still drafting regulations governing risk assessments, cybersecurity audits, and profiling.
The court agreed with the Chamber that the CPRA mandates a 12-month grace period from the date the Agency adopts final regulations. Accordingly, the ruling delays enforcement of the regulations finalized in March 2023 until March 29, 2024, and delays enforcement of future regulations until 12 months from the date the Agency finalizes them.
Although welcome news, businesses should be mindful that delayed enforcement of the CPRA regulations does not impact the state’s ability to enforce the statutory text of the CPRA. Additionally, new privacy laws in Colorado and Connecticut became effective on July 1. This includes a comprehensive set of privacy regulations adopted by the Colorado Attorney General.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.