Changes to the California Consumer Privacy Act (CCPA) expected to take effect July 1 have been stayed until March 2024 following a ruling from the Sacramento County Superior Court.
On Friday, the court determined the California Privacy Protection Agency (CPPA) did not adopt final regulations in a timely manner as required under the California Privacy Rights Act (CPRA). The CPRA called for changes to the CCPA to be adopted by July 1, 2022; the agency in March announced the final rules.
In disagreement with the CPPA, the court ruled the CPRA as approved by California voters called for a 12-month grace period between the agency’s adoption of final regulations and their enforcement.
“The court is not persuaded by the agency’s argument that it may ignore one date while enforcing the other,” the ruling stated.
Changes to the CCPA under the CPRA include the expansion of residents’ private right of action, through which they may sue companies directly in certain circumstances following a data breach, to include email address rights. Also granted are additional data protection rights to California consumers and employees, including remote workers who are California residents.
The CPPA took over enforcement of the CCPA as of July 1.
The CPPA has yet to release rulemaking regarding cybersecurity audits, risk assessments, and automated decision-making technology as required by the CPRA. Once those rules have been passed, they cannot be enforced for at least 12 months, according to the court’s ruling.
The ruling came in response to a petition filed by the California Chamber of Commerce in March.