New California Privacy Enforcement to Start With Soft Approach

Immediate action by California’s first-in-the-nation privacy agency is unlikely on the July 1 enforcement start date for the state’s updated privacy law because the personnel and compliance infrastructure are still in flux.

“Our focus will begin on public awareness to educate the public and businesses on their rights and responsibilities,” said California Privacy Protection Agency Executive Director Ashkan Soltani at an April hearing before state lawmakers. “We hope to drive voluntary compliance given we are still in the process of building out our enforcement team.”

The July 1 date for the California Privacy Rights Act coincides with other state privacy laws coming online next month, such as in Colorado and Connecticut.

Attorneys are still advising clients to move toward compliance even if there’s more time before the agency’s enforcement arm is up and running. Adhering to the new regulations is especially crucial with an unclear picture of what enforcement will look like, said Sarah Bruno, partner at Reed Smith LLP.

Enforcement “is a stress for, I know, a number of companies, just the unknown of what that is. But I think we should expect something, and we should expect it to be more routine than what we’ve gotten,” she said.

Ramping Up

The agency is waiting on approval of the state budget that includes money for its enforcement buildup. The legislature has approved around $12 million for the agency, at its request. The governor has until the end of this month to sign the budget in time for the new fiscal year.

That $12 million is part of the $10 million already provided annually, with inflation adjustments, by the Privacy Rights Act. Part of the budget request this year includes capturing previous inflation adjustments that the agency didn’t request before because it wasn’t spending all its money fast enough.

The agency’s budget calls for an initial six-person enforcement team, which it calls a “conservative estimate” on what’s required to oversee more than 52,000 businesses, a workload that’s likely to grow in future years. The team will be responsible for investigating consumer complaints, maintaining a complaint portal, issuing subpoenas, enacting administrative penalties, and working with the state attorney general to ensure compliance with the agency’s orders.

A separate three-person auditing team will assist in assessing consumer complaints. Its main function will be to analyze them for violations of privacy law and work with businesses to make improvements. The agency plans for the auditing arm to also keep track of emerging technologies or trends that may result in privacy concerns.

Hiring, training, and equipment purchasing will begin in July, according to the budget proposal. It’s unclear when those initial steps will be completed, given that the agency has struggled to hire quickly previously. That resulted in delays in issuing the first Privacy Rights Act regulations.

The agency plans to set goals and measure outcomes for complaint processing and resolutions over the next few years.

Public Awareness

A public awareness campaign will be underway in the summer, telling consumers about their rights and businesses about how to comply with consumer requests. A consultant will provide audience research before the campaign is launched, said Megan White, the agency’s public affairs director, at a May board meeting.

These first steps in the state’s next fiscal year reinforce the idea of “voluntary compliance,” but that doesn’t mean companies can ignore regulations in the meantime. Violations that occurred on or after July 1 can still be subject to enforcement, according to statute.

“That was PR, at that point, telling companies they have to get into compliance,” Bruno said of Soltani’s “voluntary compliance” remarks. “They want to see that companies are in compliance. And I think the hope is that they focus on companies that seem to be, blatantly, just not in compliance with CPRA at all.”

Immediate Changes

After July 1, there won’t be a 30-day cure period in which a company can fix problems to avoid penalties. It’ll be up to the agency to decide whether a grace period is warranted, considering whether the non-compliance was intentional and whether the agency’s delay in issuing regulations played a part.

The agency also will have up to five years from the date of the violation to bring an administrative action. The attorney general now has just one year to bring a civil action, although a bill (A.B.1546) would align that statute of limitations to five years as well.

Industry reports show that there hasn’t been a lot of compliance with California’s privacy regime. A study released last year by CYTRIO Inc., a data privacy compliance company, found around 90% of businesses surveyed weren’t fully compliant with the California Consumer Privacy Act before it was updated by the Privacy Rights Act.

At the time, the state attorney general was the sole enforcer, able to get a civil penalty in court of $2,500 per violation or $7,500 per intentional violation. While the attorney general’s office took significant actions, observers noted it was just one entity with countless other responsibilities.

Now the privacy agency will share in the enforcement, which is expected to lead to more routine inspections of companies’ privacy practices, Bruno said.

Companies preparing for July 1 should have systems in place for letting consumers opt in or out of their data being shared and be able to respond to opt-out tools like Global Privacy Control, said Bruno. If data is being shared with third parties, the right contracts and controls over the flow of information should be in place.

Managing consumer requests to access or delete personal data should be a priority, as failure to do so could result in complaints and lead to agency investigations. Data security is especially important, Bruno added, given Californians have a private right of action in that context.

“There’s going to be more of a focus on companies having systems in place to comply with the exchange of data for either sale or sharing,” she said.