Judge James Arguelles has sided with California businesses in holding that the California Privacy Protection Agency (CPPA) cannot start enforcement of regulations promulgated under the California Privacy Rights Act (CPRA) for a year from the enactment date of the regulations. Under the CPRA, many key operational issues were left to regulation to provide business with guidance as to implementation. But, the statute also provided that the CPPA was to have those regulations in place by July 1, 2022, with enforcement to commence July 1, 2023. Regulations were not enacted until the end of March, 2023 -- and some key regulations such as cybersecurity audits and automated decision-making are still not in place -- giving covered businesses a much shorter amount of time to implement operational changes for compliance. The latest ruling gives businesses subject to the regulations until March 2024 before enforcement can begin. The additional time will help with determinations on such technical issues as how to respond to browser signals that communicate consumer opt-out preferences.
If you have not completed (or started...) your main CPRA compliance program, you're not totally off the hook here. The latest ruling does not affect the CPPA's ability to enforce the provisions of the underlying CPRA or the regulations previously enacted under the California Consumer Privacy Act.