California Regulators Win Their Appeal to Enforce the CCPA Revised Regulations as of July 1, 2023

For companies that slow-tracked their California compliance activities because of the tentative March 29, 2024 effective date due to the pending appeal on the regulation enforcement timeline, it is now time to prioritize compliance.

This is because late last Friday afternoon, California's Third District Court of Appeal sided with the California Privacy Protection Agency and California Attorney General Rob Bonta in the case of California Privacy Protection Agency (CPPA) v. Superior Court (California Chamber of Commerce) to allow the California regulators to enforce the revised CCPA regulations as of July 1, 2023. The decision overturned a lower court ruling that had stayed enforcement of the new and amended regulations by one year. The California Chamber of Commerce is considering its options for appeal. 

What Does This Mean for Businesses that Meet the Threshold Requirements of the California Law?

Here are the top three compliance activities for businesses to consider:

1. Businesses should review their privacy notices for compliance with the new regulatory notice requirements. Document that your businesses have not materially changed how they are using personal information as stated in your privacy notices, and note that you are making the appropriate revised cross-contextual advertising disclosures and key enforcement issues for California regulators.
2. The final regulations clarified that cross-contextual advertising included the "sharing" of personal information, not just the sale of personal information. So, businesses should review their data subject access rights to ensure they are providing a "Do Not Sell Or Share My Personal Information Link" or "Alternative Opt Out Link" for these activities to comply with the regulations.
3. The final regulations set out clear contractual requirements for three categories of vendors: service providers, contractors, and third parties. Businesses, service providers, contractors, and third parties should consider revising their data processing agreements to satisfy these requirements.

As a reminder, both the California Privacy Protection Agency (CPPA) and the California Attorney General's Office can enforce these regulations. While there is no longer any right to cure regulatory violations in California, the CPPA can audit a business, service provider, contractor, or person to ensure compliance with any provision of the CCPA. 

For more privacy insights across all state laws, read Hinshaw's Q&A: Four State Data Privacy Compliance Insights for 2024.