Breathing Room for Employers as Court Enjoins Enforcement of California Privacy Rights Act Regulations

On June 30, 2023, a California court enjoined until March 29, 2024, enforcement of the final regulations implementing the California Privacy Rights Act (CPRA). Importantly for employers, this ruling prevents enforcement of only a portion of the web of requirements imposed by the new California privacy law.  This ASAP explains the impact of the ruling on employers that are subject to the CPRA.

Relevant Background to the Court’s Ruling

The CPRA regulations were issued by California’s new privacy agency, the California Privacy Protection Agency (the “Agency”), and became final on March 29, 2023, to implement the CPRA.1 The CPRA amended the California Consumer Privacy Act (CCPA), effective January 1, 2023.  Crucially for employers, the CPRA terminated the CCPA’s near-complete exemption for the personal information (“HR Data”) of California residents in their capacity as job applicants, employees, independent contractors, and emergency contacts (“HR Individuals”).

As a result, starting on January 1, 2023, the CCPA’s comprehensive data protection requirements, as amended by the CPRA, applied in their entirety to for-profit California employers with more than $25 million in annual gross revenues. Under the CPRA’s amendments to the CCPA, these California employers must provide expanded privacy notices to HR Individuals, negotiate CPRA contract terms with most vendors that handle HR Data, and comply with requests from HR Individuals to exercise CPRA data rights, among other steps.

The CPRA provided a six-month grace period on administrative enforcement and required that enforcement after July 1, 2023, be prospective only. There is no private right of action under the CPRA or the CCPA except in the case of a data security breach.  Because the CCPA applied in only a very limited way to HR Data, employers effectively had until July 1, 2023, to come into compliance with the new comprehensive privacy requirements.  To facilitate those compliance efforts, the CPRA required the Agency to promulgate final regulations by July 1, 2022, one year before the end of the enforcement grace period.

As noted above, the Agency was nearly nine months late in issuing final regulations.  Beyond that, the final CPRA regulations do not address three of the fifteen areas for which the Agency is required to issue regulations.  This delay and inaction created major challenges for employers that had waited for the regulations to clarify the CPRA’s many gray areas and ambiguities before completing the bulk of their compliance efforts.

The Court’s Injunction

Promptly after the CPRA regulations were finalized, the California Chamber of Commerce petitioned the Superior Court in Sacramento to, among other things, stay enforcement of the CPRA for 12 months after the adoption of all regulations required by the CPRA. The court granted the petition in part by enjoining enforcement of any regulations implemented pursuant to the CPRA for 12 months after finalization of those regulations.  This means that California authorities cannot enforce the regulations approved on March 29, 2023, until March 29, 2024. Further, any regulations that the Agency eventually issues on the three remaining mandatory areas of regulation – cybersecurity audits, risk assessments, and automated decision-making technology – cannot be enforced until 12 months after those regulations are finalized.

What are the Ruling’s Implications for Employers?

The court’s ruling unquestionably prevents the Agency from enforcing those provisions of the CPRA regulations that impose requirements on employers beyond what the CPRA itself expressly requires.  For example, the CPRA regulations require employers to provide in their privacy policy substantially more detailed information about their disclosure of personal information than what the CPRA itself requires.  However, the areas where the final CPRA regulations vary substantially from the CPRA itself are relatively limited.

The more practical effect of the ruling for employers likely will be a material reduction in the risk of an administrative enforcement action before the injunction expires on March 29, 2024.  Even before the court’s ruling, the Agency’s Executive Director told California lawmakers at a public hearing that the Agency would focus initially on public awareness, education, and voluntary compliance.  Consistent with that approach, the Agency did not publicly announce after January 1, 2023, any actions taken to enforce the provisions of the CCPA that were not amended by the CPRA and, therefore, were not subject to the grace period on administrative enforcement.  Indeed, neither the Agency nor the California Attorney General has commenced a single reported enforcement action to date involving HR Data.

Although the Agency’s Executive Director has been reported as suggesting that at least some enforcement might take place in areas outside the court’s injunction, as a practical matter, enforcing the CPRA without enforcing the regulations may be infeasible. The regulations clarified dozens of points in the ambiguous statute.  On these points, construing the statute without reference to the CPRA regulations can be challenging. Consequently, the injunction on enforcement of the regulations effectively would prevent enforcement of many parts of the statute.  Were the Agency, nonetheless, to forge ahead, its enforcement actions could become mired in litigation over whether the Agency was violating the injunction.  In short, the complexities created by the court’s ruling should provide an additional incentive for the Agency to maintain its focus on public awareness, education, and voluntary compliance — at least until the injunction expires on March 29, 2024.

Key Takeaways

While the court’s injunction may lessen the risk of administrative enforcement before March 29, 2024, employers cannot ignore the possibility that the Agency will engage in at least some administrative enforcement before that date.  Consequently, employers that are not yet fully in compliance with the CPRA should continue their compliance efforts and not view the court’s ruling as justification for halting their compliance work until the first quarter of 2024. 

Employers also should prioritize their compliance efforts to address those CPRA’s requirements that, if not satisfied, are most likely to result in regulatory attention.  These priority areas include the following:

  • Providing HR Individuals with a notice at collection that complies with the CPRA;
  • Making an online privacy policy available to HR Individuals that addresses all of the CPRA’s content requirements;
  • Responding, in accordance with the CPRA, to HR Individuals’ requests to exercise their CPRA rights;
  • Implementing reasonable and appropriate physical, technical and administrative safeguards for personal information to mitigate the risk of a data breach; and
  • Adding CPRA-mandated contract terms to agreements with service providers that handle HR Individuals’ personal information.

See Footnotes

1 The authors discussed the implication of these regulations for employers in the following article: Finalization of Regulations Clears the Path for Employers to Complete California Privacy Rights Act Compliance Efforts Before June 30, 2023 Deadline, Littler Insight (June 14, 2023). The CPRA is explained in more detail in the following: Anna Park, Zoe Argento, and Philip Gordon, Substantial New Privacy Obligations for California Employers: The California Privacy Rights and Enforcement Act of 2020 Passes at the PollsLittler Insight (Nov. 5, 2020).

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.