Businesses are keeping an eye on Sacramento as the California Attorney General has ramped up his public statements about the future and enforcement of the California Consumer Privacy Act (CCPA). We walk through some of the highlights.
Minimal Changes Expected to the Final Regulations
On October 10, 2019, the Attorney General issued Proposed Text of Regulations to further the purpose of the CCPA, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10.
The deadline to submit public comments on the proposed text of the regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes.
The proposed regulations should give everyone a sense of how the Attorney General will interpret the CCPA. The Attorney General is required to issue final regulations and a final Statement of Reasons at some point before July 1, 2020, which is the first day that the Attorney General can enforce the law.
Investing in Enforcement
California has invested in enforcement resources. The Attorney General stated that the CCPA will cost the state about $4.7 million for FY 2019-2020, and $4.5 million for FYI 2020-2021, which reflects the cost of hiring an additional 23 full-time positions and expert consultants to enforce and defend the CCPA. See Notice of Proposed Rulemaking, page 10. Despite this additional funding, the OAG is still an agency with limited resources, and many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if it takes on well-funded major companies.
Perhaps for this reason, the Attorney General stated in an interview with Reuters that the agency will “look kindly” on those that demonstrate an effort to comply with the CCPA. However, if the business is not operating properly, the OAG will “descend on them and make an example of them.” The Attorney General further said he would relax enforcement for smaller companies who can show they have made efforts to comply, but ignorance of the law will not be an excuse.
In addition, the Attorney General is still looking for enforcement alternatives. There has been some discussion about empowering District Attorneys and City Attorneys to bring enforcement actions, as well possibly resuscitating the private right of action for violations of the CCPA’s privacy provisions, an effort that died in the legislature in 2019.
The OAG’s Enforcement Priorities
Delayed enforcement does not mean a free pass. The Attorney General has made clear in several public statements that his office will enforce violations that occurred the first six months of the year. Several news outlets have reported that the Attorney General will monitor how businesses have implemented and adjusted to the CCPA, focusing on: (i) companies that handle large amounts of consumer sensitive and critical data (e.g., health records and SSNs); and (ii) the treatment of children’s data.
Advisory to California Consumers
On January 6, 2020, the Attorney General issued an advisory to consumers that describes their rights under the CCPA, information about the data broker registry and new guidelines related to data security. This effort by the Attorney General is aimed at empowering consumers to understand and exercise their rights, and to hold businesses accountable for transparency and compliance with the CCPA.
We expect to see increasing activity coming out of the OAG in the first half of 2020, particularly when the final implementing regulations for CCPA are released. As businesses continue to button up their CCPA compliance, we recommend subscribing to the OAG’s notifications on its CCPA rulemaking and keeping tabs on public hearings and press releases.