February 15, 2024

CA Court of Appeal Reverses CPRA Regulatory Enforcement Deadline

A California Court of Appeal has reinstated the California Privacy Protection Agency’s (Agency) ability to enforce previously stayed California Privacy Rights Act (CPRA) regulations set to take effect March 29, 2024.

A lawsuit initiated by the California Chamber of Commerce in June 2023 challenged the Agency’s authority to initiate regulatory efforts alleging government overreach, conflicts with existing law, and the imposition of unnecessary burdens upon businesses. As a result, as discussed here, in July 2023, a County of Sacramento Superior Court stayed enforcement of CPRA regulations until March 29, 2024. The Agency immediately appealed and on February 9, 2024, the lower court ruling was overturned.

In overturning the lower court’s ruling, the Court of Appeal held that since there is no “explicit and forceful language” in the text of the CPRA, prohibiting enforcement of the CPRA until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise.

It is unknown whether this decision will be appealed to the California Supreme Court.

What Does it All Mean?

Reversal of the March 29, 2024, deadline allows for immediate enforcement of CPRA regulations.

The CPRA amended and expanded the California Consumer Protection Act (CCPA) by, among other things, giving consumers the right to correct inaccurate personal information collected by a covered business and to limit a covered business’s use and disclosure of “sensitive personal information” (e.g., social security number, racial or ethnic origin, religious beliefs, genetic data, precise geolocation) to specific identified purposes.

Employers subject to CCPA regulations should, if they have not already, complete the following steps toward compliance:

  • Inventory and map consumer data (e.g., employee and job applicant data).
  • Understand employer privacy obligations and finalize appropriate notices:
    • Providing notification to applicants, employees, and contractors as to the categories of personal information that is (or may be) collected by the employer.
    • Informing employees of their rights when it comes to access or restrictions on the use or disclosure of certain categories of personal information.
    • Informing employees of their rights when it comes to correcting or deleting personal information (subject to specific exemptions as applicable).
    • Informing employees about their right to request the personal information collected by the employer during preceding 12 months.
  • Add CCPA compliance training to existing supervisor training modules.
  • Given that further rulemaking is underway at the Agency concerning cybersecurity, employers should also begin internal assessments of risk factors associated with any sensitive data collected or maintained (e.g., employment-related data such as social security numbers and leave-related information).

Key to maintaining a privacy-compliant workplace will be the efforts made in keeping up to date with CCPA mandates and making sure they are tailored to the specific data collection and usage of the employer’s business.