A California court delayed a hearing related to the timing of state privacy rules by nearly five months. The California Superior Court of Sacramento received briefs last month on whether to set a deadline for the California Privacy Protection Agency (CPPA) to make rules on cybersecurity audits, risk assessments and automated decision-making technology (see 2405230034). The California Superior Court of Sacramento postponed a June 21 hearing on the question until Nov. 15 due to “a request of the parties,” said court minutes posted Monday in case 34-2023-80004106-CU-WM-GDS.
A state court needn’t set a deadline for the California Privacy Protection Agency (CPPA) to make rules on cybersecurity audits, risk assessments and automated decision-making technology, with enforcement “still distant,” the agency said Wednesday. The California Superior Court of Sacramento asked May 3 if it should set a “date certain” for those rules after the California Chamber of Commerce’s lawsuit against the agency returned to the court. The court scheduled a June 21 hearing on the question. In February, California’s 3rd District Court of Appeal reversed the court’s June decision that granted a CalChamber petition and stayed any CPPA rules for 12 months after they become final. CalChamber petitioned for review at the California Supreme Court (see 2402210031), but that court declined to take the case on April 24. As a result, the only remaining issue for the Superior Court to decide is whether to set a deadline for the upcoming CPPA rules. In its Wednesday brief, the privacy agency said it started drafting remaining rules at issue in the case and will finalize them "once it has determined that it has received sufficient feedback from stakeholders and obtained necessary approval from state control agencies. In the meantime, it will not enforce the law in the specific areas still subject to regulation. Petitioner is entitled to nothing more.” It would be “improper” for the court to set a deadline because the Administrative Procedure Act (APA) “rulemaking process involves a substantial exercise of judgment and discretion over the timeline of the process itself,” the agency said in case 34-2023-80004106-CU-WM-GDS. “Petitioner's interests are already protected by enforcement delays and the APA-mandated procedures for stakeholder input.” The agency already took more feedback than the APA requires in a pre-rulemaking phase and will soon seek more input when it opens a formal rulemaking process, added the agency. In another brief, CalChamber pointed out that the agency was supposed to adopt final rules by July 1, 2022. “Petitioner continues to be concerned about the Agency’s timeline for fulfilling its statutory obligations with respect to the three outstanding rulemakings.” Given the coming rules’ significance, CalChamber "remains invested in ensuring the Agency does not attempt to adopt the regulations on a timeline that does not allow sufficient time for stakeholder review and participation, public comments, and meaningful consideration of public input,” said the business group. That said, CalChamber noted that only the agency "can fully address the anticipated timing for the adoption of the outstanding regulations.”
For “many years,” General Motors, OnStar and LexisNexis Risk Solutions have been collecting location, vehicle and personally identifiable information (PII) from OnStar-equipped vehicles and selling “vast amounts” of that data to third parties, alleged a privacy class action Friday (docket 2:24-cv-02978) in U.S. District Court for Central California in Los Angeles.
The California Supreme Court will decide by May 20 whether to grant or deny review of a state appeals court’s Feb. 9 decision that the California Privacy Protection Agency (CPPA) may start enforcing California Privacy Rights Act (CPRA) regulations, the high court said Wednesday (docket S283856). The California Chamber of Commerce in February filed a petition to review California’s 3rd District Court of Appeal decision that vacated the June decision of the California Superior Court in Sacramento. The superior court had granted a CalChamber petition and stayed any CPPA rules for 12 months after they become final (see 2402210031).
Businesses sought California Supreme Court review of a state appeals court’s Feb. 9 decision that the California Privacy Protection Agency (CPPA) may start enforcing California Privacy Rights Act (CPRA) regulations. The California Chamber of Commerce (CalChamber) on Tuesday filed a petition for review (case S283856). California’s 3rd District Court of Appeal had vacated the June decision of the California Superior Court in Sacramento, which had granted a CalChamber petition and stayed any CPPA rules for 12 months after they become final (see 2402090078). At the California Supreme Court, CalChamber argued that the appeals court ruling means businesses will have only one month to prepare for enforcement. “The Agency failed to adopt regulations necessary to implement the initiative by the statutory deadline, and it continues to repudiate the linked requirement … to abstain from commencing regulatory and civil enforcement until one year after issuance of those regulations,” the CalChamber petition said. “The Agency’s conduct threatens substantial harm to thousands of California businesses and the consumers they serve.” CalChamber CEO Jennifer Barrera said she sees “no way the voters envisioned a scenario where enforcement of regulations would begin without those regulations being in place for a reasonable period of time that affords both businesses and consumers with adequate time to prepare and comply.” The state privacy agency declined to comment Wednesday.
The California Chamber of Commerce “is considering its options,” said a CalChamber spokesperson after a state appeals court on Friday reversed a lower court’s decision to delay a state agency’s enforcement of California Privacy Rights Act regulations (see 2402090078). In June, the California Superior Court in Sacramento had granted a CalChamber petition and stayed any California Privacy Protection Agency (CPPA) rules for 12 months after they become final (see 2307030025). The privacy agency could have started enforcing CPRA rules July 1, but the lower court’s decision meant rules adopted March 29, wouldn’t take effect for one year. “Because there is no ‘explicit and forceful language’ mandating that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise,” wrote 3rd District Justice Elena Duarte wrote. CalChamber praised the court for noting that the agency “failed to comply with the express terms of the statutory provision regarding the adoption of final regulations,” said the business group’s spokesperson: But CalChamber is disappointed that the appeals court didn’t “agree on a remedy for the Agency’s failure to comply.” The CPPA applauded the decision. “The California voters didn’t intend for businesses to pick and choose which privacy rights to honor,” said CPPA Enforcement Deputy Director Michael Macko: Agency enforcers stand “ready to take it from here.”
A California appeals court reversed a lower court’s decision to delay a state agency’s enforcement of California Privacy Rights Act (CPRA) regulations Friday.