Companies are scrambling to prepare for California to start enforcing its sweeping privacy law next month, even though the state attorney general’s compliance rules haven’t been formalized.
Attorney General Xavier Becerra (D) June 2 released his final set of rules to guide businesses in how they should notify state residents of their rights under the California Consumer Privacy Act. Becerra plans to start enforcing the law July 1. But the state’s Office of Administrative Law may not approve the rules in time for enforcement.
Becerra has asked the office to speed its review, but the administrative agency said it has other rules to approve first. That leaves retailers, internet service providers, and other businesses already coping with the Covid-19 pandemic guessing about the best way to comply with the proposed regulations, attorneys and trade groups said.
If Becerra doesn’t delay imposing the law, he should at least “take a pragmatic approach to enforcement during these very turbulent times,” said Reece Hirsch, co-chair of Morgan Lewis’ privacy and cybersecurity practice.
Implementing the rules in the middle of a pandemic “is an enormous compliance headache” because of companies’ already-strained resources, Hirsch said.
Companies got their first glimpse into Becerra’s thinking when he released the proposed regulations in October 2019. The rules went through multiple rounds of comments and further changes. Companies and trade groups say that the changes to each version of the rules made it even more difficult to comply with the CCPA.
The regulations are a “huge project,” said Eric Goldman, a professor of law at Santa Clara University who focuses on privacy, intellectual property, and technology issues. It has been “just too much for the system to handle,” he said.
“The regs create just as much confusion as they” add clarity, Goldman said.
Complaints about the rules represent just one wrinkle in the rollout of the nation’s first comprehensive privacy law, enacted in August 2018. Companies have previously complained about the statute’s private right to sue over data breaches. Asking for speedy review only complicates the matter, trade groups and academics said.
A July 1 enforcement date will be “super difficult for companies that are trying to assess a set of regulations that have been moving and changing,” said David LeDuc, a vice president at the Network Advertising Initiative, with members including Adobe Inc., Alphabet Inc.’s Google, and Oracle Corp.
Meanwhile, the privacy advocates who originally spurred the law are lining up a November ballot initiative aimed at tightening the California statute.
The law, mimicking an earlier statute in Europe, created new consumer rights when it took effect Jan. 1, such as the ability for consumers to opt-out of having their data sold to third parties. The law also allows people to access information collected about them and request that their data be deleted.
The act directed Becerra to craft regulations to carry it out. The final proposed rules dictate the process companies must follow for handling consumer requests. The rules also explain how companies can avoid discriminating against users who opt-out of the sale of their data.
The California Office of Administrative law has 30 working days to approve rules and send them to the secretary of state. Governor Gavin Newsom (D) extended this window another 60 days because of the Covid-19 pandemic. Rules approved by the OAL before June 1 would have taken effect by July 1, but rules approved after couldn’t take effect until Oct. 1. The OAL could further find that the rulemaking process violated administrative law and return them for further clarification.
Becerra has asked the OAL for a speedy review to get the rules in effect in time for his enforcement start date. The office, however, indicated CCPA regulations aren’t its first priority.
“We try to accommodate agencies in their requests for expedited reviews, but since we are extremely busy right now, we cannot tell you, or them, when we will be able to get to that submission,” an office spokesman said June 8. “There are many ahead of it.”
Small companies lack the employees and money that big corporations use to prepare for compliance, said Andrew Savitz, a partner at digital design and development firm Canned Spinach.
A tight compliance time window makes small companies’ challenge more difficult, Savitz said. “On the smaller company side, it is one of the last things on your mind,” he said.
Companies have called on Becerra to delay enforcement, saying the rules haven’t been approved and the coronavirus pandemic has hurt their ability to prepare.
Giving companies more time leads to “higher level of compliance and adds legitimacy” to the state’s privacy law, said Alex Propes, vice president of public policy & international at the Interactive Advertising Bureau, which has Google, Amazon, and Facebook as members.
Becerra declined to comment. He said in a June 2 statement, however, that companies have had ample time to prepare for compliance with the 2018 law, given that he proposed draft rules late last year.
“Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July,” Becerra said in his statement.
Privacy advocates say there’s no need for a delay.
“The law has been in place for almost half a year at this point, and the final regs proposed by the AG are the same as the ones they floated months ago,” said Ariel Fox Johnson, senior policy and privacy counsel at Common Sense Media. “Now is not the time to delay.”
The administrative office typically grants speedy reviews when there is a mandated enforcement deadline, said Wynter Deagle, a managing partner of Troutman Sanders’ San Diego office who focuses on privacy issues.
“But this is a far from typical environment given the moving target that has been the regulations and the significant economic and business disruption and social unrest currently occurring,” Deagle said.
Companies need to be ready to comply with or without final rules in place, attorneys said.
Companies should examine the text of the CCPA and make sure their privacy notices are in line with the statute’s clear language, said Cynthia Larose, chair of Mintz Levin’s privacy and cybersecurity practice.
Businesses should also create a “reasonable security” program that can be used to defend against a data breach and update employee privacy practices, Larose said.
Becerra’s initial enforcement efforts will likely target data breaches, childrens’ privacy, or health information violations, said Travis LeBlanc, vice chair of Cooley’s cybersecurity and privacy practice.
LeBlanc, a member of the Privacy and Civil Liberties Oversight Board, said Becerra should focus on the “clear cut violations of the CCPA before advancing toward more novel issues.”