In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).
The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.
The hearing on the petition for Writ of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023. The CPPA conceded it had not yet finalized regulations regarding 3 remaining areas e.g. cybersecurity audits, risk assessments, and automated decision-making technology.
The Chamber argued that California voters “intended for the Agency to issue the complete regulations covering the fifteen mandatory issues by July 1, 2022,” and that “…the voters intended businesses to have one year from the Agency’s adoption of final regulations before the Agency could begin enforcement.”
The CPPA disagreed with the Chamber’s argument indicating the text of the CPRA was not straightforward as to confer a mandatory promulgation deadline.
The superior court granted the writ in part, finding that enforcement of any final CPPA regulation implemented would be stayed for a period of 12 months from the date that individual regulation becomes final. The court however declined to mandate any specific date for the CPPA to finalize regulations.
Based on the ruling, enforcement of the initial regulations approved in March, could not commence until March 2024. It is anticipated the CPPA may appeal the decision, though the ruling would likely remain in place during the pendency of an appeal.
Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.