Employers had a big win in late June 2023 when a trial court in Sacramento enjoined until March 29, 2024, enforcement of the final regulations under the California Privacy Rights Act (CPRA), the only one of 14 recently enacted, comprehensive state data protection laws that applies to human resources information.  This extended grace period ended prematurely on February 9, 2024, when the California Court of Appeal rejected the lower court’s injunction and restored enforcement authority immediately to the California Privacy Protection Agency (the “Agency”).¹ The court’s decision also impacts enforcement of upcoming regulations addressing cybersecurity audits, risk assessments, and automated decision-making technology, as the appellate court also rejected a future, one-year stay on enforcement imposed by the Sacramento trial court.  As a result, employers that were waiting until March 29, 2024, to complete their CPRA compliance work should accelerate completion of those efforts, and they also should carefully monitor the rulemaking process for the three pending sets of regulations. 

This Insight explains the ruling and its implications for employers and the status of the three upcoming sets of regulations.

Background to the Court’s Ruling

In addition to extending the California Consumer Privacy Act to the personal information of California job applicants, employees, independent contractors, and emergency contacts, the CPRA, among other things, created the Agency and required the adoption of final implementing regulations on a range of subject matters by July 1, 2022, with enforcement to begin one year later, on July 1, 2023.  The Agency, however, failed to meet the July 1, 2022, statutory deadline.  It was not until March 29, 2023, that the Office of Administrative Law approved the final regulations.²  Even then, regulations on only some of the subject matters had been finalized.  Nonetheless, the Agency intended to enforce the CPRA regulations in the finalized areas commencing July 1, 2023.

In response, the California Chamber of Commerce sued the Agency, seeking an order compelling the Agency to finalize regulations on all remaining subject matters and asking for a one-year stay on enforcement from the date of adoption.  On June 30, 2023, the Sacramento trial court declined to mandate when the Agency must finalize the pending regulations, but ordered a 12-month stay on enforcement of the final regulations, reasoning that immediate enforcement should be prohibited because the Agency had failed to implement final regulations by the statutory deadline, and the one-year grace period in the CPRA was intended to give businesses sufficient time after finalization of the regulations to comply.³  The decision also applied to the three sets of upcoming regulations – cybersecurity audits, risk assessments, and automated decision-making technology – requiring a one-year delay in enforcement from the date those regulations will have been finalized.

The Agency filed a petition to the appellate court for extraordinary writ of mandate, arguing that that the CPRA did not expressly link enforcement of the law with the implementation of final regulations.  

Appellate Court Unlocks the Agency’s Enforcement Power

In its February 9, 2024, decision, the California Court of Appeal issued a peremptory writ of mandate removing the stay on enforcement – to be effective upon filing of the court’s order.  The court found nothing in the plain language of the CPRA or in any of the interpretative guidance indicating that the one-year gap between the July 1, 2022 deadline for promulgating final regulations and the July 1, 2023 start date for enforcement was intended as a one-year grace period to allow businesses time to come into compliance with regulations; consequently, the trial court had no basis effectively to alter the plain language of the statute allowing for enforcement to commence on July 1, 2023.  Interestingly, the Court of Appeal directed the trial court to consider the propriety of compelling more prompt development of the remaining regulations – which the trial court had previously declined to do.

Most decisions in writ proceedings are final 30 days after the decision is filed.  Yet here, the appellate court ordered immediate finality of its decision, making it effective upon its filing on February 9, 2024 and preventing any further delays on the Agency’s enforcement authority. 

Though enforcement authority is immediately restored, the Agency does have the discretion to consider that businesses had less than one full year to achieve compliance.  The Court of Appeal highlighted a provision in the final CPRA regulations that allows the Agency to “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”⁴

Nonetheless, the Agency has signaled its eagerness to begin enforcement.  The Agency issued a statement after the ruling making clear that its “enforcement team stands ready to take it from here.”    

Status of the Three Upcoming Sets of CPRA Regulations

The Court of Appeal’s decision also clarifies the Agency’s authority to enforce future regulations upon finalization.  The three pending sets of regulations cover topics not addressed by the CPRA itself and would impose new requirements on businesses: to perform independent audits of their cybersecurity, risk assessments for the processing of sensitive or higher-risk personal information, and with respect to the use of automated decision-making technologies.

Currently, these regulations are caught in the slow-moving rule-making process.  To illustrate, in February 2023, the Agency invited “pre-rulemaking” comments on the three sets of regulations: cybersecurity audits, risk assessments, and automated decision making (ADM).  The comment period closed on March 27, 2023.  Between August 28, 2023, and December 1, 2023, the Agency issued two successive discussion drafts of the cybersecurity audit and risk assessment regulations, one discussion draft of the ADM regulations, and a discussion draft of proposed revisions to the final CPRA regulations.  At the Agency’s Board meeting on December 8, 2023, only the drafts of the cybersecurity audit regulations and the amendments to the existing CPRA regulations were approved to be prepared for formal rulemaking.  The Board concluded that the discussion drafts of the ADM regulations and the risk assessment regulations were not ready for formal rulemaking. 

No formal action has been taken since the December 8 meeting in relation to any rule-making process.  It is highly unlikely that any of these regulations will become final before the end of 2024.  Given these long delays, it comes as no surprise that the Court of Appeal in its February 9 decision asked the trial court to consider the appropriateness of compelling the swifter development of regulations.

Court Battles over the Agency’s Enforcement Authority Will Continue

Though the Court of Appeal unanimously and decisively lifted the stay on enforcement of the finalized CPRA regulations, the litigation is far from over. On February 15, 2024, the Sacramento trial court issued two Minute Orders that signal what is to come. 

The first order directed the parties to file supplemental briefs addressing their respective positions on the propriety of compelling more prompt development of regulations, as ordered by the Court of Appeal.  Shortly thereafter, the trial court posted a second order stating that the Chamber intended to file a Petition for Review in the California Supreme Court – which the Chamber advised would make further briefing premature, if a remittitur is eventually issued.  (Likely reasoning that, if review is not granted by the Supreme Court, a remittitur would be issued, ending the appellate court’s jurisdiction and sending the matter back to the trial court to carry out the Court of Appeal’s decision.)  Nonetheless, the trial court made clear it would proceed in setting a briefing schedule in the case and asked the Chamber to file a written motion to request relief from further briefing.

It remains to be seen whether the issue of compelling more prompt publication of final regulations will be addressed by the trial court or whether the California Supreme Court will take up the entire case now that the Chamber of Commerce filed a petition for review on February 20, 2024.  Crucially, the Chamber’s filing of a petition for review with the California Supreme Court does not stay the Court of Appeal’s ruling that enforcement may proceed absent an order by the Supreme Court.

Key Takeaways

Despite the likelihood of further litigation, the Court of Appeal’s decision and the Agency’s public statement in response signal that CPRA enforcement is upon us.  Employers that have not yet completed their CPRA compliance work should expedite completion.

Moreover, future regulations are likely to be enforceable when finalized – without a grace period.  Employers should, therefore, continue to monitor both this on-going litigation and the Agency’s tortuous rule-making process for upcoming cybersecurity audit, risk assessment, and ADM regulations as well as amendments to the finalized CPRA regulations.