If a company has questions about how to comply with California’s new data privacy law, it may, under a remarkable provision of that law, request an opinion from California’s attorney general (AG). This article analyzes that provision, notes the AG’s objection to it, and discusses one proposal to change that provision before the law’s January 1, 2020, effective date.

The California Consumer Privacy Act of 2018 (CCPA) raises a lot of questions about what companies must do to comply and, thankfully, provides a mechanism by which those companies can get some answers: “Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.” Sec. 1798.155(a).

That single sentence raises a host of possible issues. First, the word “opinion” has quite a different legal definition than does “guidance,” but the provision uses both terms. “Opinion” usually means that the person receiving it can rely on it to some extent, including perhaps, in this context, in defense to an enforcement action.

Second, while this provision permits a business to seek an opinion, it does not by its terms require the AG to provide an answer, although one could reasonably infer that the statute did not provide California’s businesses a meaningless right.

Third, the provision refers to a business “or third party,” which would seem to allow pretty much anyone to solicit the AG’s guidance. The CCPA gives “third party” an inverse definition, as any individual or entity except (i) any “business” under the CCPA; or (ii) any individual or entity to whom personal information is sent for a business purpose pursuant to a written contract that contains certain promises and provisions. Sec. 1798.140(w). The provisions working together would embrace entities beyond those regulated by the CCPA as being proper requesters to the AG and could include consumer advocates, industry groups, and even privacy lawyers. This interpretation is reinforced by Section 1798.155(a) not requiring an actual controversy as the predicate to guidance.

Fourth, the provision does not explain how the AG’s response will be delivered, including whether it would be made public immediately, such as posting to the AG’s website. Under California’s Public Records Act and the California Constitution, businesses availing themselves of this “opinion” should anticipate, absent an exception, that the initial correspondence and the AG’s response will be public.

The California AG, Xavier Becerra, had questions of his own upon reading this provision. The AG made his displeasure with the provision clear, sending a letter on August 22, 2018, to the two co-sponsors of the CCPA, likening the provision to conscripting his office into giving unlimited, free legal advice:

Requiring the AGO to provide legal counsel at taxpayers' expense to all inquiring businesses creates the unprecedented obligation of using public funds to provide unlimited legal advice to private parties. This provision also creates a potential conflict of interest by having the AGO provide legal advice to parties who may be violating the privacy rights of Californians, the very people that the AGO is sworn to protect. What could be more unfair and unconscionable than to advantage violators of consumers' privacy by providing them with legal counsel at taxpayer expense but leaving the victims of the privacy violation on their own? I do not see how the AGO can comply with these requirements. I urge you to swiftly correct this.

The AG takes a dim view of the requesters in describing them as those who may be “violating the privacy rights of Californians.” As such, he does not leave much room for what will likely be the bulk of the inquirers — those who are attempting in good faith to comply with the statute and just need some guidance on how the AG will be interpreting unclear or contested provisions.

Additionally, it takes little effort to brainstorm myriad things that are “more unfair and unconscionable” than allowing businesses facing a complex, new regulation to ask the government that is imposing it for advice on how to comply. Frankly, the IRS and the SEC provide such guidance all the time. The IRS even has a hotline.

Nonetheless, there is a bill pending that would address the AG’s concerns and take substantial responsibilities off of his office. Senate Bill 561, currently in committee, would change the language of Section 1798.155(a) to: “The Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the provisions of this title.” This is more consistent with how the European Union’s GDPR operates.

The proposed text differs greatly from the current language and presents a range of issues of its own, including whether those published materials will have the force of law. The term “general guidance,” at least, would belie such authority, as the California Legislature knows how to confer rulemaking authority and this is not it. But that may not stop courts from deferring, explicitly or otherwise, to those published materials in interpreting the CCPA. This would be particularly a problem for businesses if the AG’s “general guidance” increases the compliance burdens that the CCPA otherwise imposes or makes specific a means or method of compliance that the CCPA left open.