California delays CPRA regulations

The California Privacy Protection Agency (CPPA) was supposed to finalize new privacy regulations last July—but missed its deadline by around nine months.

The new regulations (which we’ll call “the CPRA Regulations”) arrived on 29 March 2023, giving businesses only a couple of months to comply before the intended deadline of 1 July 2023.

But a California court has intervened, pushing the enforcement deadline back to 29 March 2024.

There is a lot of confusion about what this decision means. To clarify matters, we’ve created a timeline that sets out the recent history of California’s privacy efforts—and provided one truth and three falsehoods about the implications of this California court judgment.

The background

The CPPA was formed after the passing of the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA). One of the CPPA’s first tasks was to create the CPRA Regulations, enforcement of which has now been delayed.

This can be a confusing area, particularly with so many acronyms containing the letters “C”, “P”, and “A”.

So here’s a reminder of what’s happened with CCPA lawmaking and rulemaking so far. We’ve split the timeline into three phases to clarify the CCPA’s history further.

Phase 1: Early CCPA activity

Skipping over the initial CCPA proposals and debates, our timeline begins in June 2018.

June 2018: The CCPA becomes law.
October 2019: A bill, AB 25, delays enforcement of some of the CCPA’s rules on employees and business-to-business (B2B) processing until January 2021.
January 2020: The CCPA takes effect.
September 2020: Another bill, AB 1281, further delays the CCPA’s employee and B2B rules until January 2022.
August 2020: Initial CCPA Regulations take effect.

That covers California’s early CCPA activity.