• by Wendy Davis  @wendyndavis, April 5, 2023

The California Chamber of Commerce is asking a state court judge to postpone enforcement of new privacy regulations, arguing that state's privacy agency hasn't given companies enough time to comply with the new rules.

In a lawsuit filed last week, the business group argues that the California Privacy Protection Agency was required to adopt final regulations to the Consumer Privacy Rights Act (also known as Proposition 24) by July 1, 2022 -- one year before the scheduled enforcement date. 

Instead, the agency adopted partial final regulations last week, leaving businesses with only around three months to come into compliance, the lawsuit says.

“The agency's piecemeal approach and disregard of statutory deadlines is regulation by fiat that effectively and improperly rewrites Proposition 24 and severely prejudices California businesses by depriving them of the one-year compliance grace period,” the California business group writes in a petition brought in Sacramento County Superior Court.

“These brand new rules can reasonably be expected to require significant operational work (as they are new requirements), which Proposition 24 accounted for by giving businesses a year to prepare,” the organization adds. “But the agency's failure to timely promulgate regulations in these critical areas means that businesses may have no grace period whatsoever.”

The organization is asking a judge to delay enforcement of the law and regulations until one year from the date the agency adopts final regulations.

Ashkan Soltani, executive director of the California Privacy Protection Agency, stated the agency was aware of the lawsuit

“We remain committed to advancing the privacy rights of Californians, and will continue to fight for the safeguards Californians overwhelmingly supported at the ballot box," he stated.

The Consumer Privacy Rights Act, which was passed as a ballot initiative in 2020, expanded on the 2018 California Privacy Protection Act. Taken together, the two measures give consumers the right to tell companies not to share or sell their information for a host of purposes, including online behavioral advertising. Other sections of the Privacy Rights Act deal with topics including cybersecurity and risk assessments.

The regulations that were adopted last week largely deal with people's ability to control the use of their data. One of the more controversial rules requires companies that collect or process consumer data to honor opt-out preference signals -- such as commands users send through their browsers. The ad industry previously argued that the wording of the Consumer Privacy Rights Act allows companies to ignore requests made through those kinds of tools, as long as companies offer opt-out links on their own websites.