Businesses Welcome Calif. Privacy Rules State Court ‘Reprieve’
Industry breathed a sigh of relief after a California state court delayed enforcement of California Privacy Rights Act regulations Friday. The California Chamber of Commerce (CalChamber) said the ruling by the California Superior Court in Sacramento righted an unfair situation for businesses. “Significant portions” of CPRA remain enforceable, despite the court’s ruling, said California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Meanwhile, the Delaware legislature passed another state privacy bill. Connecticut and Colorado privacy laws took effect Saturday. The Delaware House voted 37-3 Friday to concur with the Senate, which passed HB-154 earlier that day. The Oregon legislature passed its own comprehensive bill June 22 (see 2306220059).
California's 2020 privacy statute had required the CPPA to start enforcing regulations implementing the sequel to the California Consumer Privacy Act (CCPA) on Saturday. But the state court partly granted a stay request by CalChamber after a hearing Friday (case 34-2023-80004106-CU-WM-GDS). The final decision, which closely tracked with a tentative ruling released Thursday (see 2306300052), means the CPPA may start enforcing rules it finalized March 29, 2023, on that date in 2024, and any rules to come 12 months after they’re finalized. CCPA rules will remain enforceable by the California attorney general.
Judge James Arguelles’ ruling “provides some certainty and basic fairness for California businesses as they work to comply with the complicated mandates called for in Proposition 24,” the ballot initiative that established the CPRA, said CalChamber CEO Jennifer Barrera in a news release. “In passing Proposition 24, voters understood that businesses should be provided time to implement new rules before any enforcement action is taken. The Court underscored this today, recognizing that it would be unfair for the CPPA to enforce new regulations when the impacted businesses did not even know what was going to be required of them.”
The CPPA is disappointed by the enforcement delay, Soltani said. But the state agency “remains committed to advancing the privacy rights of Californians and will take the appropriate next steps to safeguard the protections Californians overwhelmingly supported at the ballot box,” he said.
The ruling “buys some time for businesses to build out solid compliance plans for the elements added in the regulations,” said Wiley privacy attorney Joan Stewart. “This decision will be helpful for businesses that are trying to implement procedures to recognize and process an opt-out preference signal” like the global privacy control, “which the regulations made clear is a requirement if the business sells or shares personal information,” said Stewart: The delay means "that obligation will track more closely to the deadline imposed by Colorado.”
California DOJ didn’t comment on the ruling and what it means for its own CPRA enforcement authority. The court said in one section it's staying the California privacy agency’s enforcement of any regulation, which might raise a question of whether the ruling also covers civil enforcement by the state AG. But the ruling later says “enforcement of any final Agency regulation ... will be stayed,” which could be read as including the AG.
Though the court wasn’t consistent about the scope of its order, Electronic Privacy Information Center Senior Counsel John Davisson said the ruling's practical effect will probably be to halt both AG and agency enforcement. The court interpreted a timeline that applied equally to agency and AG enforcement, he noted. Wiley’s Stewart agreed the ruling likely applies to AG enforcement. The privacy attorney noted CalChamber’s petition listed both the agency and AG as respondents and asked the court to stop respondents and all other public officers from enforcing the rules. However, the agency and AG may still enforce CPRA statutory provisions that took effect Jan. 1, she said.
“Reprieve!” exclaimed business privacy attorneys at Fisher Phillips. “But it is not a wholesale carveout from any enforcement of the CPRA,” they blogged. "Businesses still need to comply with the CPRA provisions which were in the ballot initiative."
State Privacy Laws Near a Dozen
Delaware could be the 12th state with a consumer privacy law. If signed by Gov. John Carney (D), it could take effect Jan. 1, 2025. The governor didn’t comment Monday.
Largely tracking Connecticut’s privacy law, Delaware’s measure would be “one of the more consumer-friendly state consumer data privacy bills passed to date,” Husch Blackwell attorney David Stauss blogged Sunday. Stauss, who worked on Connecticut’s bill, highlighted some differences, including that the Delaware bill has lower application thresholds to account for its small population, it exempts some nonprofits, and it adds a consumer right to obtain “a list of the categories of third parties to which the controller has disclosed the consumer’s personal data."
The Delaware law would be stronger than most other state laws, Consumer Reports said. CR highlighted parts requiring companies to honor browser opt-out privacy signals; expansion of children’s data protections to kids under 18, up from 16; and definitions of sensitive and biometric information that it said are broader than most states. “Instead of simply copying an existing law word for word, this bill makes some important contributions,” said CR Policy Analyst Matt Schwartz. “At the same time, we urge legislators to close loopholes that remain, including those relating to loyalty programs, the definition of ‘targeted advertisement,' and enforcement.”