Constrained only by the text of the statute, and with the knowledge that a series of proposed amendments were working their way through the Legislature, at the same time, the Attorney General’s office was working on a set of proposed regulations interpreting the statute. Businesses that will be covered by California’s paradigm-shifting consumer privacy law, the CCPA, have been left to data map and build out the rough constructs of a CCPA-compliant information governance program while Sacramento worked on the details of what would be required. As of now, the amendments that can affect 2020 have passed and been signed into law, and we have a first set of proposed regulations. While the regulations are now in the public comment phase of rulemaking and subject to change, they reflect the AG’s position following a first set of public comments and over six months of study. The proposals take a very strict view of the CCPA’s language and assumed consumer protection purpose, and offer few breaks for industry. Businesses fared slightly better with the Legislature, which provided a one-year stay on application of some, but not all, CCPA consumer rights as to personal information collected either in the context of a person as a job applicant, employee or contractor, or as the representative of another business in connection with a communication regarding certain business-to-business diligence or transactions. While these carveouts expire at the end of 2020, a new proposed ballot measure would make them permanent. That ballot initiative, which will be on the November 2020 general election ballot if it garners enough signatures, however, raises the bar on the rights afforded the Californians who remain in-scope, especially regarding use of data for advertising. Finally, in preparing for the CCPA, which takes effect January 1, 2020, businesses need to keep in mind that the CCPA adds to and does not supersede California’s suites of existing privacy and data protection laws, as well as those of other states, most notably Nevada, which recently expanded its law, as we previously reported here.

The proposed regulations also create challenges for the advertising industry, retailers and publishers, and do not reflect what those industries were seeking. As for when businesses need to be compliant, in his press release announcing the regulations the AG warned that although the timing for promulgating final regulations would delay his ability to commence enforcement actions for potentially up to six months, this period was not a safe harbor for noncompliance. Further, it should be noted that there is no delay for the private right of action to bring individual or class action suits seeking statutory penalties following data security incidents allegedly attributable to a failure to maintain reasonable security.