Less than a week after the landmark California privacy law’s final rules took effect, companies face a greater risk of being targeted for possible violations.
Attorney General Xavier Becerra (D) had only the law’s plain language to guide him when he began enforcement July 1. The rules enactment opens new avenues for investigations, including whether companies have adequate privacy policies and data-sale regimes.
The enactment “certainly paves the way” for more enforcement, said Mark Lyon, privacy partner at Gibson, Dunn & Crutcher LLP and head of the firm’s artificial intelligence practice group. Companies should expect “an increase in the number of letters sent, or even judicial actions filed.”
The final rules, which Becerra announced Aug. 14, show how the reach of the California Consumer Privacy Act has been growing since the statute took effect Jan. 1. The law created new privacy rights for California residents, including the ability to opt-out of the sale of their data and to see what information is collected about them.
The rules explain in detail how businesses must carry out the law. For instance, businesses that tell their customers they don’t sell data, and then later wish to do so, would need to get consumers to opt-in twice. The rules also require companies to describe the process for verifying consumer requests to correct or delete data.
“Most of the meat” of the law’s requirements are in the final regulations, said Elliot Golding, data privacy & cybersecurity partner at Squire Patton Boggs.
Becerra had “more than enough” plain statute language for enforcement, but the rules give him an even stronger hand, he said.
The absence of final rules after the law took effect had created ambiguities that likely shielded businesses from some enforcement, said Amanda Fitzsimmons, privacy and litigation partner at DLA Piper.
“Now that the rules are finalized, there is no longer a defense that businesses are unaware of the requirements,” she said.
No Longer ‘Forward-Looking’
The California Office of Administrative Law approved the rules Aug. 14 with some minor tweaks that didn’t create material changes from the last of four draft versions. Becerra released the first draft in October 2019.
“Compliance is no longer a forward-looking enterprise,” said Kristin Madigan, privacy partner at Crowell & Moring LLP, based in San Francisco.
Businesses more than ever must ensure their policies comply with granular aspects of the law, Lyon said in an email.
“Don’t wait until you get an enforcement letter to consider what changes may be needed,” he said.
The rules leave some uncertainties, such as how consumers are supposed set up user-enabled privacy controls and how companies decide whether an IP address is personal information, Lyon said.
“As more and more enforcement actions occur,” he said, “we will definitely see push back from some parties.”
Trade groups welcomed the end to the rulemaking process.
“Responsible companies with strong privacy programs have been working toward compliance for months and simply need clarity,” Leigh Freund, president and CEO of the Network Advertising Initiative whose members include Adobe Systems Inc., Alphabet Inc.'s Google, and Viant Inc., said in an email.
Privacy advocates also welcomed the rules as a kicking off point to keep companies in line with the CCPA.
It’s important that Becerra “can hold companies accountable for privacy violations,” Hayley Tsukayama, a legislative analyst at the Electronic Frontier Foundation, said in an email.