On Friday, February 9, California’s Third District Court of Appeal held that regulations of the California Consumer Privacy Act, as amended, pertaining to key areas of the law are now enforceable. The regulations had been stayed by a lower court’s ruling in July 2023 and were set to become effective March 29, 2024. In a big win for the California Privacy Protection Agency (CPPA) and state Attorney General Rob Bonta, Friday’s ruling enables immediate enforcement of the regulations.

What does Friday’s ruling mean?

The ruling will lead to a new period of privacy act enforcement. In the state agency’s press release on Friday, it noted that the ruling restored the CPPA’s full enforcement authority, and it issued a warning: “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.” The regulations affected by Friday’s ruling, which apply to consumer and employee data, cover several key areas of the amended act: transparency requirements, honoring requests to exercise privacy rights, requirements for service providers and third parties, the handling of children’s and teens’ data, training, and recordkeeping.

How should businesses respond?

First, if you are not sure whether you are subject to the CCPA, now is the time to determine if you meet the CCPA’s applicability thresholds. As the agency noted, if you are subject to the act, now is the time to review your privacy practices to ensure you comply with the law’s stringent requirements. In particular, care should be taken to assess compliance in the following areas covered by regulations about to be enforced:

• Review employee and consumer-facing privacy disclosures to ensure they contain required details about personal data processing.
• Assess your practices to make certain you can promptly and adequately respond to employee and consumer requests to exercise their privacy rights.
• Verify that agreements with service providers, contractors, and third parties contain all the necessary provisions covered by CCPA regulations.
• Confirm you can meet CCPA age-related requirements if you process personal information of consumers under the age of 16.
• Implement a privacy training program, if your organization does not have one.
• Confirm you can meet the CCPA’s recordkeeping requirements.

To learn more about Friday’s ruling or the CCPA regulations, visit the CPPA’s website https://cppa.ca.gov/ or contact an attorney.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.