New California Privacy Law Enforcement Underway Despite Ruling

The California Privacy Protection Agency will continue its enforcement work despite a court ruling last week that prohibits any official action on new rules until next March.

The ruling by state Judge James P. Arguelles for the delay requested by the California Chamber of Commerce will give businesses more time to comply with new California Privacy Rights Act regulations, enforcement of which was scheduled to begin July 1, observers said.

Arguelles wrote that, to help with compliance, a one-year window needs to be in place between when regulations go into effect and when enforcement starts.

The act was a result of Proposition 24, a successful 2020 ballot initiative that further established consumer privacy laws in the Golden State. The court agreed with the California Chamber that regulations under the law should have been in effect by July 2022, a timeline the agency missed due to staffing challenges.

The agency in a statement noted that companies are not completely off the hook, expressing disappointment in the ruling.

“We’re pleased the court held that significant portions of Prop 24’s privacy protections remain enforceable starting tomorrow,” said agency director Ashkan Soltani after the ruling, adding that the agency “will take the appropriate next steps.”

Statute Enforceable

The court decision only applies to current and future regulations, and the underlying language in the California Privacy Rights Act is still enforceable.

For example, new consumer rights granted in the state Privacy Rights Act, such as the right to correct personal information or the right to opt out of “sharing” data, still have to be respected, said Michael La Marca, partner at Hunton Andrews Kurth. Companies have more time to get specific, technical details on how to comply with those rights, however, which the agency has outlined in regulations, he added.

Disagreements over what the statute says could complicate initial enforcement. For instance, business groups have long argued that the act gives them the option of using opt-out links or tools like Global Privacy Control that automatically emit opt-out signals. The agency has disagreed with that interpretation, stating in its regulations that the use of opt-out signals is mandatory.

La Marca cautioned against ignoring the agency’s interpretation just because regulations are unenforceable for now. He noted that opt-out signals were already required before the Privacy Rights Act.

“The picture is very muddy, but for that very reason, I would be very careful in interpreting the delay of the CPRA regulations as permission to postpone effectuating global opt-outs,” said La Marca.

Companies should still take compliance with state privacy law seriously and comply with consumer privacy requests, he added. While they don’t have to follow every single regulation right now, the text of the Privacy Rights Act is still very detailed in its obligations.

The court ruling is good news for businesses planning compliance around automation, risk assessments, and cybersecurity audits. Future rulemaking for those areas, which unlike the CPRA don’t have detailed statutes, will now likely require a year after implementation because of the ruling.

“It’s great news for businesses, particularly for those three areas, because the regulations again will pretty much introduce those topics,” said La Marca. “Businesses can exhale, and then they’ll have a whole year to digest them.”

Agency Preparing

The first-in-the-nation privacy agency hasn’t shown signs of slowing down its enforcement work, hiring Michael Macko as its enforcement chief. Macko previously was a corporate counsel for Amazon.com Inc. and his federal regulatory compliance background includes stints at the Securities and Exchange Commission and the Department of Justice.

Macko will give the agency’s first public update on its enforcement buildup at a July 14 meeting. The agency also aims to have a system in place soon for consumers to file privacy complaints. A chief privacy auditor is slated to be hired and the agency will authorize probable cause hearings if necessary, per the meeting agenda.

The new state budget will authorize funding for the agency to begin hiring for seven more positions on its auditing and enforcement team this fiscal year.

Soltani, the agency director, already indicated in past remarks that the initial focus will be on educating the public and encouraging “voluntary compliance” instead of swift enforcement actions, as hiring is ongoing. Companies, however, should not take a break and expect some activity soon.

“Make sure your (privacy) compliance programs are in place, and you have defensible compliance with statutes,” said La Marca. “This is not a free reprieve from enforcement; it is just a reprieve from enforcement for the CPRA regulations.”