The implementation of privacy rights in California began In 1972, when California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people.

Since California voters approved the constitutional right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, but consumers had no right to learn what personal information a business had collected about them and how they used it or to direct businesses not to sell the consumer’s personal information.

To facilitate that missing right, the legislature passed a landmark data privacy law in 2018, the California Consumer Privacy Act of 2018 (CCPA) into law. It gives consumers more control over the personal information that businesses collect about them.

In November of 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act, (CPRA), which amended the CCPA and added new additional privacy protections that began on January 1, 2023.

The California Privacy Rights Act (Amended by the CPRA) established a new agency, the California Privacy Protection Agency (CPPA) to implement and enforce the law. The CPPA is governed by a five-member Board. One board seat is currently vacant.

The Act’s enforcement provision as it applies to the Agency appears in section 1798.185, subdivision (d) of the Civil Code. The timeline for adopting final regulations was July 1, 2022.

Businesses that are subject to the CCPA are those that meet the complex criteria established by this law, including the definitions specified in Civil Code 1798.140(d) and other sections of the law and regulations. These businesses have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices.

However on June 30, 2023, the California Superior Court issued a decision blocking the California Privacy Protection Agency (“CPPA” or the “Agency”) from enforcing new regulations governing the collection and use of consumer data until March 2024.

On March 29, 2023, the Agency’s first set of regulations under the Act were approved by the Office of Administrative Law (OAL) in twelve of the fifteen areas contemplated by Section 1798.185. The Agency concedes in the action brought by the Chamber of Commerce that it has not yet finalized regulations regarding the three remaining areas–cybersecurity audits, risk assessments, and automated decision-making technology – as contemplated by Section 1798.185. Regulations will not be finalized in these areas until sometime after July 1, 2023.

The June 30, 2023 disposition of the Court in the Chamber of Commerce Action was “Enforcement of any final Agency regulation implemented pursuant to Subdivision (d) will be stayed for a period of 12 months from the date that individual regulation becomes final, as described above. The Court declines to mandate any specific date by which the Agency must finalize regulations. This ruling is intended to apply to the mandatory areas of regulation contemplated by Section 1798.185, subdivision (a). Consistent with the plain language of Section 1798.185, subdivision (d), regulations previously passed pursuant to the CCPA will remain in full force and effect until superseding regulations passed by the Agency become enforceable in accordance with the Court’s Order.”

In reaching its decision, the court found that the text of the CPRA “indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” If the CPPA were to begin enforcing the regulations on July 1, 2023, about three months after it adopted the final regulations, businesses subject to the CPRA would have “no time to come into compliance,” which “would not be in keeping with the voters’ intent.” Accordingly, the court concluded that the CPPA “may begin enforcing those regulations that became final on March 29, 2023 on March 29, 2024.”

Nonetheless, on July 14, 2023, the California Attorney General announced an investigative sweep, through inquiry letters sent to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.

The Attorney General announced that he “is committed to the robust enforcement of the CCPA. And as an example, he noted that in August 2022, he announced a settlement with Sephora resolving allegations that it failed to disclose to consumers that it was selling their personal information and failed to process opt-out requests via user-enabled global privacy controls in violation of the CCPA.

Moreover, he has conducted several investigative sweeps, most recently of popular mobile applications compliance with consumer opt-out requests.

Lawsuit Blocks Enforcement of New Calif Privacy Protection Agency Regs