New CCPA Regulation Enforcement Delayed Until March 2024

On June 30, 2023, the Sacramento County Superior Court determined that the Agency must wait 12 months to enforce any regulations under the 2020 CPRA amendments but could begin enforcing any CCPA regulations already in effect.
Richard Stevenson

by Rick Stevenson

July 27, 2023
New CCPA Enforcement Delays - Header

When it passed back in 2018, the California Consumer Privacy Act became the most stringent US privacy law. Mirroring many requirements from the European Union (EU) General Data Protection Regulation (GDPR), the new law sought to give people more control over their data. In November of 2020, California voters passed the California Privacy Rights Act (CPRA) through a ballot initiative, amending the CCPA and establishing additional compliance requirements. 

The CPRA’s enforcement requirements tasked the California Privacy Protection Agency (the Agency) with adopting final implementing regulations by July 1, 2022, noting that enforcement would begin no earlier than July 1, 2023. 

Throwing a glitch into the enforcement timelines, the Agency only completed the first set of regulation under the CPRA on March 29, 2023. This delay created questions around whether the implementing regulations should be enforced beginning on July 1, 2023. 

On June 30, 2023, the Sacramento County Superior Court determined that the Agency must wait twelve months to enforce any regulations under the 2020 CPRA amendments but could begin enforcing any CCPA regulations already in effect.

What is CCPA?

The California Consumer Privacy Act of 2018 (CCPA) is the first US law formally granting people rights and control over their personal information. Similar to the GDPR, the CCPA’s extraterritorial reach applies to all California residents no matter where they currently are. 

As enacted in 2018, the CCPA identified the following six consumer rights:

  • Know the information collected

  • Know the information sold or disclosed

  • Ability to opt-out of data sharing 

  • Ability to access data

  • Protection against discrimination

  • Request that data be deleted

In November 2020, California voters passed the California Privacy Right Act (CPRA), updating and amending the CCPA. These additions included:

  • Right to correct

  • Right to limit use

Further, the CCPA, as amended, also requires businesses to:

  • Complete risk assessments 

  • Engage in cybersecurity audits

  • Refrain from automated decision-making

Which CCPA Regulations are Currently Enforced?

The Sacramento County Superior Court’s language creates confusion, especially since cross-referencing with the California Office of the Attorney General (OAG) website fails to distinguish the different enacting regulations.

The OAG has been sending CCPA noncompliance notices since July 1, 2020, and is allowed to continue to enforce these requirements.

1. Right to Know

Consumers have the right to ask businesses about the:

  • Categories of personal information collected.

  • Specific pieces of personal information collected.

  • Categories of sources used to collect information.

  • Purpose for using information.

  • Categories of third parties with which the business shares personal information.

  • Categories of information sold or disclosed to third parties.

2. Right to Deletion

Consumers have the right to: 

  • Ask businesses to delete collected personal information.

  • Ask businesses to tell service providers to delete sold or disclosed data.

3. Right to Opt-Out

Consumers have the right to request that businesses:

  • Stop selling or sharing personal information.

  • Stop targeting advertising based on personal information obtained from online activity across numerous websites.

Businesses must wait 12 months before asking consumers if they want to opt back into data sale or sharing.

4. Right to Non-Discrimination

If consumers exercise their rights under the CCPA, businesses cannot:

  • Deny goods or services.

  • Charge a different price for goods or services.

  • Provide a different level or quality of goods and services.

If a business offers promotions, discounts, or deals as a financial incentive for sharing data, opt-out requests may impact consumer participation in those activities.

5. Privacy Policy

Businesses must provide consumers with an easy-to-understand policy that explains online and offline practices related to personal information, such as:

  • Collection

  • Use

  • Sharing

  • Sale

The privacy policy must also explain people’s privacy rights and how to exercise them.

Which CCPA Regulations Will Be Enforced in March 2024?

Companies subject to the CPRA have until March 2024 to comply with the two new rights that the CPRA added.

1. Right to Correct

Businesses must update inaccurate consumer data when people ask them.

2. Right to Limit

Consumers can request that businesses only use sensitive information on a limited basis, like for requested services.

Requirements Not Yet Drafted

Finally, as of June 30, 2023, the Agency had yet to finalize regulations implementing the following three areas:

  • Risk assessments

  • Cybersecurity audits

  • Automated decision-making

Businesses will have 12 months from the final publication of the enacting regulations to comply with the requirements. 

What Does This Mean for Businesses?

For businesses, the majority of CCPA requirements remain intact, especially since the OAG has already sent noncompliance notices. While companies have some breathing room around responding to requests for correction and limitation on data use, the nine months remaining until enforcement begins provides very little runway.

Further, even though companies have twelve months from the publication of the risk assessment, audit, and automated decision-making requirements to comply, waiting until the last minute could prove chaotic. In the case of CCPA compliance, proactive organizations are more likely to limit their risk of fines and lawsuits. 

To experience Drata’s ability to help you accelerate your CCPA compliance, contact us for a demo today.

Trusted Newsletter
Resources for you
Healthcare Breach States - Thumnbnail

States Most Impacted by Healthcare Data Breaches in 2022

What You Need to Know About the New Cybersecurity Strategy - Thumbnail

What You Need to Know About the New National Cybersecurity Strategy

Supply Chain Security - Thumbnail

Supply Chain Security + How to Solve 5 Most Common Risks

AI and New Technologies List

How Machine Learning and New AI Technologies Could Change the Cybersecurity Landscape

Richard Stevenson
Rick Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.
Related Resources
Healthcare Breach States - Thumnbnail

States Most Impacted by Healthcare Data Breaches in 2022

What You Need to Know About the New Cybersecurity Strategy - Thumbnail

What You Need to Know About the New National Cybersecurity Strategy

Supply Chain Security - Thumbnail

Supply Chain Security + How to Solve 5 Most Common Risks

AI and New Technologies List

How Machine Learning and New AI Technologies Could Change the Cybersecurity Landscape