This week, the California Superior Court ruled that the California Privacy Protection Agency (CPPA) cannot begin enforcement of the California Privacy Rights Act (CPRA) until March 2024. The ruling stems from a lawsuit filed by the California Chamber of Commerce which argued that state businesses would not have enough time to prepare for the upcoming changes and enforcement thereof.

Judge James P. Arguelles held that the CPRA included plain language requiring the CPPA to have final regulations in place by July 1, 2022, with enforcement allowed to begin a year later. The final rules, which outline how businesses should handle consumer requests to exercise their privacy rights and various other compliance standards, were not issued until March 29, 2023. Judge Arguelles said in his ruling that “[t]he very inclusion of these dates indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.”

A recent report issued by Common Sense Media, a non-profit organization focused on supporting high quality media and digital resources, found that almost half of the products or apps used by consumers are not in compliance with these California privacy laws.   

Ashkan Soltani, Executive Director of the CPPA, noted in a statement after the ruling that “significant portions” of the privacy protections established by Proposition 24, nevertheless, can be enforced as of July 1.  Soltani said, “Although we’re disappointed the court granted the Chamber’s request to delay enforcement of portions of the regulations enacted earlier this year [i.e. CPRA], the Agency remains committed to advancing the privacy rights of Californians and will take the appropriate next steps to safeguard the protections Californians overwhelmingly supported at the ballot box” pursuant to the California Privacy Protection Act passed before the CPRA. While businesses have some additional time to get a handle on CPRA requirements, the CPPA will begin enforcement of the Privacy Act which has been in effect since 2020.

Other states continue to follow California’s lead. On June 30, 2023, the Delaware General Assembly passed HB 154, which is a CCPA-like comprehensive privacy law that will take effect on January 1, 2025, and applies to businesses that process personal data of more than 35,000 consumers and does not exempt non-profit organizations. Also note that the consumer privacy laws in Colorado and Connecticut took effect on July 1.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.