Communications Litigation Today was a Warren News publication.
CalChamber Lawsuit

Don't Delay July 1 CPRA Enforcement, Calif. Privacy Agency Urges Court

June 8, 2023 by Adam Bender|Top News

A California court should decline businesses’ “invitation to thwart the will of the voters by significantly delaying enforcement” of the California Privacy Rights Act (CPRA), said the California Privacy Protection Agency (CPPA). The agency opposed a California Chamber of Commerce lawsuit at the California Superior Court in Sacramento (case 2023-80004106-CV). The 12-month grace period sought by CalChamber "would be a windfall to businesses, to the detriment of consumers,” the agency wrote Monday.

CalChamber seeks to delay enforcement of the California Privacy Rights Act (CPRA) until one year after the California Privacy Protection Agency adopts final rules (see 2304040043). The CPRA required enforcement to start July 1, but the agency’s rules weren’t finalized until March 29, even though the law contemplated that they would be done by July 1, 2022.

Enforcement will start "over three months after the first regulatory package was finalized,” the CPPA told the court. “While rulemaking is still ongoing in three specific areas -- cybersecurity audits, risk assessments, and automated decision-making technology -- the Agency has publicly stated that it will not enforce the law in these areas until the remaining regulations, which themselves could contain provisions deferring their enforcement, have been made final and approved by the Office of Administrative Law (OAL).” The March rules were mostly unchanged from a draft released months earlier, the agency noted. CalChamber, which sued one day after OAL approved the first set of rules, "inexplicably, incorrectly, and repeatedly alleges” the agency hasn’t published any rules, the CPPA added.

There is no clear, unambiguous language in Prop. 24 imposing a mandatory duty on the Agency, either to promulgate all final regulations by a date certain or refrain from enforcing the law in its entirety until one year after all regulations have become final,” said the CPPA: Nor was such a requirement in ballot material provided to voters. “The Voter Information Guide, the Legislative Analyst’s analysis, and the printed arguments for and against the measure are silent with respect to both the supposed mandatory deadline for promulgating regulations and the supposed one-year 'grace period' ... before enforcement may begin that Petitioner is reading into Prop. 24.”

The Chamber "fails to support its bare assertions that businesses would be" severely prejudiced if enforcement begins July 1, the agency said. “Petitioner has not submitted evidence identifying a single business that cannot comply with even one of the March 29 regulations,” but asks the court to “excuse all businesses, regardless of their ability, from complying with every provision, and do so at the expense of the privacy rights that Californians have unequivocally said they want to be the law.” Many companies are already or soon will be subject to similar laws in other states and the EU, and many of the new California rules are updates to existing requirements, the CPPA added.

If some small businesses have difficulty complying and "find themselves subject to an enforcement action, they will have an opportunity to demonstrate that they have been attempting to comply in good faith,” said the CPPA. “Such a unique, context-specific, fact-specific circumstance can be managed on an individual basis, and does not warrant broad relief for all affected businesses for an indefinite period of time.”

California privacy rules may never be final in the petitioner’s view because the CPRA anticipates they will be continually updated as technology and circumstances change, added the agency. “Tying the commencement of enforcement to the completion of the regulatory process would perversely incentivize businesses who may disagree with the law to attempt to delay the rulemaking process.”