Are You Ready? CPRA Regulations Effective Immediately

A California appeals court has overturned a decision from June 30, 2023, that had delayed – until March 29, 2024 – the enforcement of final regulations adopted under the California Privacy Rights Act (CPRA).

On Friday, February 9, the Court of Appeal for the Third Appellate District held that the final CPRA regulations – which supplemented and amended previously existing regulations under the California Consumer Privacy Act (CCPA) – could be enforced by the Agency immediately.

In other words, the dozen CPRA regulations finalized last spring are now effective and enforceable, including new regulations related to dark patterns, new consumer rights to correct personal information and to opt out of the use and disclosure of sensitive personal information, and requirements on businesses to recognize browser-based opt out preference signals (e.g., Global Privacy Control).

Beyond just accelerating enforcement of these CPRA regulations by about seven weeks, the appellate decision could have even more significant effects in terms of providing for only a short window of time for businesses to become compliant with the final three outstanding CPRA regulations, whenever they are finalized by the Agency. In late November, the Agency published draft regulations pertaining to: (1) cybersecurity audits, (2) automated decision-making technology, and (3) risk assessments. Much of the Agency’s December board meeting was devoted to refining and advancing these three outstanding draft regulations. Following the appellate court’s decision (and the reasoning underpinning the decision), companies may no longer be able to count on having a 12-month grace period between final approval and enforcement of the three outstanding regulations. This is because the appellate court held that the CPRA statute did not expressly contain “clear, unequivocal language mandating a one-year delay between approval and enforcement” of regulations, and the court declined to infer such a delay.

Given that a whole slate of CPRA regulations is now effective nearly two months earlier than anticipated, businesses should be stress testing and making any finishing touches to their compliance updates for the dozen regulations already finalized. Moreover, with only a short grace period to come into compliance with the three outstanding draft regulations when finalized (cybersecurity audits, automated decision-making technology, and risk assessments), businesses should review the latest Agency drafts and begin laying certain elements of groundwork for looming compliance changes.