?On June 30, a California court enjoined until March 29, 2024, enforcement of the final regulations implementing the California Privacy Rights Act (CPRA). Importantly for employers, this ruling prevents enforcement of only a portion of the web of requirements imposed by the new California privacy law.
The CPRA regulations were issued by California’s new privacy agency, the California Privacy Protection Agency and became final on March 29. The CPRA amended the California Consumer Privacy Act (CCPA), effective Jan. 1. Crucially for employers, the CPRA terminated the CCPA’s near-complete exemption for the personal information of California residents in their capacity as job applicants, employees, independent contractors, and emergency contacts.
As a result, starting on Jan. 1, the CCPA’s comprehensive data protection requirements applied to for-profit California employers with more than $25 million in annual gross revenues. California employers must provide expanded privacy notices to employees and applicants, negotiate CPRA contract terms with most vendors that handle personal data, and comply with requests from employees and applicants to exercise their CPRA data rights.
The CPRA provided a six-month grace period on administrative enforcement and required that enforcement after July 1, 2023, be prospective only. There is no private right of action under the CPRA or the CCPA except in the case of a data security breach. To facilitate compliance efforts, the CPRA required the California Privacy Protection Agency (CPPA) to promulgate final regulations by July 1, 2022, one year before the end of the enforcement grace period.
The final CPRA regulations do not address three of the 15 areas for which the agency is required to issue regulations. This delay and inaction created major challenges for employers that had waited for the regulations to clarify the CPRA’s many gray areas and ambiguities before completing the bulk of their compliance efforts.
The Court’s Injunction
Promptly after the CPRA regulations were finalized, the California Chamber of Commerce petitioned the Superior Court in Sacramento to stay enforcement of the CPRA for 12 months after the adoption of all regulations required by the CPRA. The court granted the petition in part by enjoining enforcement of any regulations implemented pursuant to the CPRA for 12 months after finalization of those regulations. This means that California authorities cannot enforce the regulations approved on March 29, 2023, until March 29, 2024.
Further, any regulations that the agency eventually issues on the three remaining mandatory areas of regulation – cybersecurity audits, risk assessments, and automated decision-making technology – cannot be enforced until 12 months after those regulations are finalized.
The court’s ruling unquestionably prevents the agency from enforcing CPRA regulations that impose requirements on employers beyond what the CPRA itself expressly requires. For example, the CPRA regulations require employers to provide in their privacy policy substantially more detailed information about their disclosure of personal information than what the CPRA itself requires. However, the areas where the final CPRA regulations vary substantially from the CPRA itself are relatively limited.
The more practical effect of the ruling for employers likely will be a material reduction in the risk of an administrative enforcement action before the injunction expires on March 29, 2024. Even before the court’s ruling, the agency’s executive director told California lawmakers at a public hearing that the agency would focus initially on public awareness, education, and voluntary compliance. Consistent with that approach, the agency did not publicly announce after Jan. 1 any actions taken to enforce the provisions of the CCPA that were not amended by the CPRA and, therefore, were not subject to the grace period on administrative enforcement. Indeed, neither the agency nor the California Attorney General has commenced a single reported enforcement action to date involving personal data.
Although the agency’s executive director has been reported as suggesting that at least some enforcement might take place in areas outside the court’s injunction, as a practical matter, enforcing the CPRA without enforcing the regulations may be infeasible.
The regulations clarified dozens of points in the ambiguous statute. On these points, construing the statute without reference to the CPRA regulations can be challenging. Consequently, the injunction on enforcement of the regulations effectively would prevent enforcement of many parts of the statute. Were the agency, nonetheless, to forge ahead, its enforcement actions could become mired in litigation over whether the agency was violating the injunction. In short, the complexities created by the court’s ruling should provide an additional incentive for the agency to maintain its focus on public awareness, education, and voluntary compliance at least until the injunction expires on March 29, 2024.
Key Takeaways
While the court’s injunction may lessen the risk of administrative enforcement before March 29, 2024, employers cannot ignore the possibility that the agency will engage in at least some administrative enforcement before that date. Consequently, employers that are not yet fully in compliance with the CPRA should continue their compliance efforts and not view the court’s ruling as justification for halting their compliance work until the first quarter of 2024.
Employers also should prioritize their compliance efforts to address those CPRA’s requirements that, if not satisfied, are most likely to result in regulatory attention. These priority areas include the following:
- Providing employees and applicants with a notice at collection that complies with the CPRA.
- Making an online privacy policy available to employees and applicants that addresses all of the CPRA’s content requirements.
- Responding to requests to exercise CPRA rights.
- Implementing reasonable and appropriate physical, technical and administrative safeguards for personal information to mitigate the risk of a data breach.
- Adding CPRA-mandated contract terms to agreements with service providers that handle personal information.
Kwabena Appenteng, Zoe Argento, Philip Gordon, and Denise Tran-Nguyen are attorneys with Littler. ©2023. All rights reserved. Reprinted with permission.
