Calif. Privacy Agency Sued by Businesses Seeking Enforcement Delay
California businesses asked a state court to delay enforcement of the California Privacy Rights Act (CPRA) until one year after the California Privacy Protection Agency adopts final rules.
With CPRA enforcement set to begin July 1, the California Chamber of Commerce (CalChamber) sued the agency and Attorney General Rob Bonta (D) Thursday at the California Superior Court in Sacramento (case 2023-80004106-CV). Consumer privacy advocates called the complaint another delay tactic by industry. A business privacy attorney countered that CalChamber’s suit seeks to resolve uncertainty.
The California privacy agency released final regulations on its website Tuesday after the Office of Administrative Law approved them last week (see 2303300073). “The regulations have not changed substantively since” the agency’s board approved changes at an Oct. 29 meeting, it noted in an email announcing their availability. The board plans to discuss CalChamber’s complaint in a closed session at an April 14 meeting, said an agenda released Monday.
The privacy agency “is aware of the lawsuit” seeking to delay application of rules that took effect March 29, said Executive Director Ashkan Soltani in a statement: “We remain committed to advancing the privacy rights of Californians, and will continue to fight for the safeguards Californians overwhelmingly supported at the ballot box.” Bonta’s office didn’t comment Tuesday.
The state court should declare that businesses won’t be subject to enforcement July 1 and that enforcement won’t begin until 12 months after all final rules are adopted, said CalChamber. California businesses will be harmed if CPRA obligations are allowed to be enforced “just weeks or months after ... regulations have been finally adopted and without providing the statutory one-year grace period necessary for those members to understand and implement their compliance obligations,” it complained.
The law required the agency to adopt all regulations by July 1, 2022, one year before enforcement, claimed CalChamber. "This one-year implementation period is an essential feature of Proposition 24.” That ballot initiative, which created the CPRA, and the legislative history contain no “statement indicating that the Agency can issue mandatory regulations in a piecemeal format, or miss its own deadlines but hold others against businesses.”
"Even if businesses wanted to complete these updates before July 1, 2023, they could not do so absent final regulations,” CalChamber said. The privacy agency’s published regulations cover eight of 15 regulatory areas in the CPRA, it noted. "The Agency has not published even draft regulations addressing some of the most novel and complicated topics mandated by the law's rulemaking provision," which “will leave countless businesses guessing at the concrete actions they will need to undertake to conform to the law.”
It’s not like the rules dropped from the sky, responded Electronic Privacy Information Center Senior Counsel John Davisson in an interview Tuesday. CalChamber and businesses participated in the rulemaking process from when it started about two years ago, “and the shape of these regulations really hasn’t changed much since November,” said the consumer privacy advocate: It’s not credible for companies to argue they had no time to prepare and consumers will be worse off if privacy protections are delayed, he said.
The CPRA “doesn’t say there has to be a year delay,” said Davisson: The CPRA’s July deadlines in 2022 and 2023 to finalize and enforce rules were meant “to keep the agency on pace.” Californians who voted for CPRA enforcement by July 2023 shouldn’t be punished because the agency went overtime, the lawyer said. EPIC would like the agency to act quickly but it’s also important to get rules right, he said. CalChamber’s argument that the agency should release all regulations before enforcement isn’t credible because the agency can’t enforce rules that don’t exist yet, said Davisson.
Final rules “will take time and effort to implement” and businesses lost a 30-day right to cure possible violations Jan. 1, countered Squire Patton Boggs privacy attorney Alan Friel. “Were the government to start enforcing the regulations as of July 1, given its delay in promulgating them, there would be serious due process issues.” The state has “discretion as to when and how to enforce the new regulations,” he said, but “that leaves uncertainty that the suit seeks to resolve.”
CalChamber “has, at every turn, sought to weaken, delay, or otherwise confound the progress of” CPRA and its predecessor, the California Consumer Privacy Act, emailed Hayley Tsukayama, Electronic Frontier Foundation legislative activist. “It does not surprise me that they are again seeking to delay enforcement of these laws.” The agency hasn’t announced any enforcement hires, so it’s unclear what effect a delay would have, the consumer privacy advocate said. “But Californians deserve their full privacy rights under the law and we shouldn't have to wait any longer than we already have.” CalChamber didn’t comment Tuesday.