Overview
Businesses are keeping an eye on Sacramento. The California Attorney General has ramped up his public statements about the future and enforcement of the California Consumer Privacy Act (CCPA). We walk through some of the highlights.
In Depth
Minimal Changes Expected to the Final Regulations
On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10.
The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes.
The proposed regulations should give everyone a sense of how the Attorney General will interpret the CCPA. The Attorney General is required to issue final regulations and a final Statement of Reasons at some point before July 1, 2020, which is the first day that the Attorney General can enforce the law.
Investing in Enforcement
California has invested in enforcement resources. The Attorney General stated that the CCPA will cost the state about $4.7 million for FY 2019-2020, and $4.5 million for FYI 2020-2021, which reflects the cost of hiring an additional 23 full-time positions and expert consultants to enforce and defend the CCPA. See Notice of Proposed Rulemaking, page 10. Despite this additional funding, the OAG is still an agency with limited resources. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if it takes on large and well-funded companies.
Perhaps for this reason, the Attorney General stated in an interview with Reuters that the agency will “look kindly” on those that demonstrate an effort to comply with the CCPA. If the business is not operating properly, the OAG will “descend on them and make an example of them.” The Attorney General further said he would relax enforcement for smaller companies who can show they have made efforts to comply, but that ignorance of the law will not be an excuse.
The Attorney General is continuing to consider enforcement alternatives, including empowering District Attorneys and City Attorneys to bring enforcement actions. There has also been some discussion about possibly resuscitating the private right of action for violations of the CCPA’s privacy provisions, which was an effort that died in the legislature in 2019.
The OAG’s Enforcement Priorities
Delayed enforcement does not mean a free pass. The Attorney General has publicly stated that his office will enforce violations that occurred during the first six months of the year. Several news outlets have reported that during this period, the Attorney General will monitor how businesses have implemented and adjusted to the CCPA, with a particular focus on: (i) companies that handle large amounts of consumer sensitive and critical data (e.g., health records and SSNs); and (ii) the treatment of children’s data.
Advisory to California Consumers
On January 6, 2020, the Attorney General issued an advisory to consumers that describes their rights under the CCPA and information about the newly published data broker registry. The advisory also contained a call to consumers about their private right of action in the case of a data breach. This effort by the Attorney General aims to empower consumers to understand and exercise their rights, and to hold businesses accountable for transparency and compliance with the CCPA.
We expect to see increasing activity coming out of the OAG in the first half of 2020, particularly when the final implementing regulations for CCPA are released. As businesses continue to button up their CCPA compliance, we recommend subscribing to the OAG’s notifications on its CCPA rulemaking and keeping tabs on public hearings and press releases.