The First CPRA Regulations are Now Enforceable

The California Privacy Protection Agency (CPPA) can begin enforcing the first group of California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). This immediately follows a February 9th, 2024 ruling from California’s Third District Court of Appeals. This latest ruling overruled a previous ruling from a lower court that delayed enforcement of the CPRA amendments to the CCPA from July 1st, 2023 to March 29, 2024. The earlier ruling was in response to a complaint filed by the California Chamber of Commerce.

The first set of CPRA regulations were finalized in March of 2023. As a firm reminder, Executive Director, Ashkan Soltani commented that the CPPA expects “robust compliance” with the CCPA and CPRA amendments.

With the CPRA amendments now enforceable, businesses that meet the applicability thresholds need to be sure they are following the requirements, which include:

  • Respond to and honor consumer requests to opt out of having their personal information sold or shared for targeted advertising
  • Respond to and honor consumer requests regarding data deletion or correction
  • When a deletion request has been received, notify any third parties and service providers it has shared the personal information with and instruct them to delete the personal information
  • Inform consumers how their data will be used and if it will be sold
  • Only collect, use, retain, and share personal information in a manner reasonably necessary and proportionate to achieve the purposes for which it was collected or processed
  • Implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure

“The California voters didn’t intend for businesses to pick and choose which privacy rights to honor. We are pleased that the court has restored our full enforcement authority, and our enforcement team stands ready to take it from here,” said Michael Macko, Deputy Director of Enforcement for the CPPA in response to the ruling. “This decision should serve as an important reminder to the regulated community, now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

CompliancePoint has an experienced team dedicated to privacy regulations. We can help your organization maintain compliance with the GDPR, CPRA, CCPA, and all other individual state privacy laws. Contact us at connect@compliancepoint.com to learn more about our services.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.