Calif. Court Leans Toward Delaying CPRA Rules Enforcement

One day before a Friday hearing on a California Chamber of Commerce (CalChamber) lawsuit against the CPPA, the California Superior Court in Sacramento posted a tentative ruling partly granting the stay request. The ruling’s tentative nature means it could change. The court didn’t issue a final decision by our deadline Friday. The CPPA and CalChamber declined to comment Friday on the tentative ruling in case 34-2023-80004106-CU-WM-GDS.

CalChamber sought to delay enforcement until one year after all rules are finished. The group argued it isn't fair to start enforcing a partial set of rules that were finalized about three months ago on March 29, especially since the CPRA contemplated that final rules would be ready by July 1, 2022. The CPPA argued last month that delaying enforcement by 12 months would benefit businesses while hurting consumers and thwarting voters’ will (see 2306070020). CalChamber responded that the agency mustn’t be allowed to make “mincemeat” of statutory deadlines (see 2306160018). The CPRA statute took effect Jan. 1 and CCPA rules will remain enforceable by the California attorney general if the agency rules implementing CPRA are stayed.

The July 2022 deadline “would be rendered meaningless and mere surplusage” if interpreted "as anything but a deadline to adopt final regulations,” said the California court’s draft decision: Otherwise, there might be no limit to how long the agency could take to pass final rules. "It is clear from the plain language of the statute that this was not the voters’ intent.” Including the one-year-apart July dates in CPRA "indicates the voters intended there to be a gap between the passing of final regulations and enforcement of those regulations,” the court said. “The Court is not persuaded by the Agency’s argument that it may ignore one date while enforcing the other.”

On enforcing rules yet to be released, the court tentatively agreed with CalChamber that the agency shouldn't be able to enforce them immediately after they're finalized. However, the court agreed with the privacy agency that enforcement of March 29 rules shouldn't be delayed until 12 months after every rule is final, including those still in development. "Striking a balance between the two, the Court hereby stays the Agency’s enforcement of any Agency regulation implemented pursuant to Subdivision (d) for 12 months after that individual regulation is implemented." That means the CPPA can start enforcing the March 29 rules on that date in 2024, and the CPPA can start enforcing any rules to come 12 months after they’re finalized, the draft ruling said.

The foreshadowed ruling might "put a fire under the CPPA to accelerate” rulemaking efforts, but the relief for companies behind schedule with compliance isn’t as broad as it "might appear at first blush,” Squire Patton’s Alan Friel emailed Friday. The stay in the tentative ruling seems to be directed only at the CPPA, but the state AG “also has enforcement authority and would seem to be unrestricted in its ability to enforce the new regulations as of July 1,” noted the privacy attorney for businesses. Also, the CPPA wouldn’t be “restricted by the order in enforcement of the regulations previously promulgated by the AG, or the statute itself,” he said.

The possibly stayed CPRA rules "merely flesh out implementation details of what the Act requires,” added Friel. “The most impactful new rights and obligations added by CPRA to CCPA are statutory not regulatory. Those include the privacy law’s applications to human resources and business-to-business data and rights to opt out of sharing for cross-context behavioral advertising and to correct and limit use of sensitive personal information, he said.

The Electronic Privacy Information Center was disappointed with the tentative ruling, said Senior Counsel John Davisson in an interview. “I don't buy the argument that the way to cure one delay is for the court to impose another one,” he said. Voters wanted to secure privacy rights for themselves quickly and it’s “distressing to see the court upending that timetable.” Davisson said he hopes the court's rationale is challenged because it might create problems later if even rule amendments can’t be enforced for a year.

Conn., Colo. Laws Kick In

Many compliance obligations overlap among state privacy laws, but "businesses should be aware of the key obligations for" the Colorado and Connecticut laws, "since they may require businesses to update their privacy notices and practices," Wilson Sonsini lawyers blogged Tuesday.

Connecticut and Colorado laws differ in some ways, Stinson privacy lawyers blogged June 22. Connecticut's law exempts nonprofits, higher education institutions, entities covered by the 1996 Health Insurance Portability and Accountability Act and data covered by the Family Educational Rights and Privacy Act, they said. Also, unlike Colorado, Connecticut’s law doesn't require authentication to opt out, the lawyers said. "While Connecticut does have a similar universal opt-out mechanism requirement," it won't take effect until Jan. 1, 2025.

The Delaware Senate on Thursday voted 15-1 for a state privacy bill (HB-154). Senators unanimously approved an amendment, which included an edit to the definition of public available information. It also added exemptions for national securities or registered futures associations and data subject to U.S. Gramm-Leach-Bliley Act rules. The Senate amendment means the bill must go back to the House, which passed the bill June 8 in a 33-5 vote. Microsoft supported the bill, which is like Connecticut's privacy law, at a hearing earlier this week. But multiple tech associations opposed HB-154 because they want it to follow Connecticut’s law more closely (see 2306270048).

The Oregon legislature passed its own comprehensive bill June 22 (see 2306220059). Earlier that week, Texas Gov. Greg Abbott (R) became the 11th governor to sign a consumer privacy measure into law (see 2306200037).