By Katy Keohane, Associate General Counsel, SafeGuard Privacy
February 13, 2024

Last Friday, February 9, 2024, the California Appeals Court issued a 3-0 opinion, making the CPRA regulations finalized in March 2023 immediately enforceable. 

Appeals Court Overturns Stay of Enforcement

The Appeals Court decision, overturning the lower court’s stay of enforcement until March 29, 2024, came during the California Lawyers Association’s Annual Privacy Summit in Los Angeles. As a sponsor of the CLA Privacy Summit, SafeGuard Privacy had the opportunity to hear the regulators react to the decision in real-time. 

“Now Would Be a Good Time To Review Privacy Practices to Ensure Full Compliance”

The California Privacy Protection Agency (the “Agency”) issued a formal statement. Ashkan Soltani, Executive Director of the Agency, noted, “This ruling ensures all aspects of the regulations adopted by the California Privacy Protection Agency last year are again enforceable, just as the voters intended when they enacted Proposition 24.” 

Michael Macko, Deputy Director of Enforcement for the Agency, said, “[O]ur enforcement team stands ready to take it from here. This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

SafeGuard Privacy’s CCPA/CPRA Regulations assessment addresses the requirements of these regulations, including requirements for data processing agreements, handling consumer requests, consumer opt-out mechanisms – including the mandate to recognize opt-out preference signals – and dark patterns.  

Enforcement Priorities of CPPA

During the CLA Privacy Summit, Deputy Dir. Macko reiterated Agency enforcement priorities clarifying that investigations are not limited to those areas listed below but that the following are broad areas of focus: 

  • Privacy notices
    • Reviewing to ensure compliance
    • Engaging in deeper analysis to understand how a business is operating in practice
    • Looking to see if there is a disconnect between the notice and how a business is operating
  • Right to Delete
    • Are businesses complying and implementing those requests?
  • Implementation of Consumer Requests
    • Where Consumers tried to opt out of sale or sharing, how are Businesses operationalizing those requests? 

As we shared with you previously, Deputy Dir. Macko emphasized during the Agency’s July 2023 board meeting that the regulations provide clarity and do not impose new rules. He also noted the Enforcement Division “expects to see rigorous compliance” with the regulations. He expressed the same expectations again during the CLA Privacy Summit last week. 

Other Areas of Investigation

Supervising Deputy Attorney General for the Privacy and Protection Unit, Stacey Schesser, pointed to additional investigative efforts announced in January for Data Privacy Day by the Attorney General of an investigative sweep of streaming apps and devices, investigating failure to comply with CCPA opt-out requirements, noting, “We are investigating everywhere.” (See, CA AG Data Privacy Announcement of Investigative Sweeps.)

In July 2023, the Agency announced a review of data privacy practices of connected vehicle manufacturers and related technologies. 

What Will This Mean Going Forward? 

As noted by the IAPP in the February 12, 2024, Privacy Advisor Column, “The lift on enforcement will undoubtedly bring increased activity, particularly in the advertising technology space as many of the rules that will be enforced relate to targeted advertising and consent around how those ads are produced and served.”

Furthermore, the Agency is continuing to work on a new rulemaking package, including automated decision-making, risk assessments, cybersecurity audits, proposed revisions to existing regulations, insurance, and data broker fees.

The decision of the California Appeals Court likely means regulations, such as in these areas, promulgated by the Agency will be enforceable when finalized by the Office of Administrative Law without a delay. Interested in providing public comment on the current rulemaking topics? Keep an eye on the CPPA website. See also CPPA Announcement on Regulatory Framework for Automated Decisionmaking.