California AG Starts Enforcing State Privacy Act
The California Consumer Protection Act enforcement kicked off Wednesday. Senate Majority Leader Robert Hertzberg (D) told us he expects Attorney General Xavier Becerra (D) to act shortly to enforce CCPA, even with some matters unresolved. Privacy attorneys, consumer advocates and others expect the AG to tackle egregious violations of the statute in enforcement’s early days, they said in interviews.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The AG plans to enforce it even though final rules to implement CCPA require Office of Administrative Law (OAL) approval. Becerra submitted the rules June 1 (see 2006020062), six months after the law took effect. The office normally has 30 working days but due to COVID-19 may take an additional 60 calendar days to OK state regulations. Further complicating things, a ballot initiative and proposed sequel to CCPA called the California Privacy Rights Act (CPRA) qualified last week for the Nov. 3 election (see 2006250052). Calls by businesses to delay CCPA enforcement including because of the pandemic failed to dissuade Becerra (see 2004020043).
“It would be fair for the attorney general to send a message to make sure that the law’s enforced,” said Hertzberg, noting he has seen much work done to increase privacy since CCPA passed. Hertzberg doesn’t “think it’s going to be a gotcha situation where you missed a comma or made a small mistake.” The AG will target an “extreme violation," he said.
“The entire context is challenging,” Hertzberg said. When lawmakers passed CCPA in 2018, they gave the legislature a year to put together implementation legislation, “and that didn’t happen.” The AG made rules, but now there’s another privacy proposal on the November ballot, Hertzberg added. CPRA, which he expects will get voters’ OK, “will inform a lot with respect to enforcement.” Some businesses cited COVID-19 to delay enforcement, Hertzberg said. But “there’s a need more than ever for privacy protection given how much people are relying on the internet.”
“My expectation is that businesses will be in full compliance with the law," said Assembly Privacy Committee Chair Ed Chau (D) in a Wednesday statement. The law was passed in June 2018, so organizations had two years to update policies, he said.
“Today we begin enforcement of ... a first-of-its-kind data privacy law in America,” Becerra said Wednesday. “We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities.”
Drive to Enforce
Enforcement might start “with a bang” of immediate action or with letters warning companies they have 30 days to cure problems, said Perkins Coie’s Dominique Shelton Leipzig. Becerra appears serious about enforcement and said he’s aware of criticisms that European regulators weren’t strict enough enforcing the general data protection regulation, she said. He probably will use early actions to “send a message” about his priorities, she said.
“They’re going to be fairly aggressive,” predicted Electronic Frontier Foundation Legislative Activist Hayley Tsukayama. The AG office has “real drive” to show it can be an effective enforcer, said the EFF official, praising Becerra for not delaying enforcement.
Becerra "will hold accountable, within the scope of his ability, businesses that choose to harm consumers and violate the law from day one,” emailed Corbin and Kaiser lobbying firm CEO Samantha Corbin. Her clients include EFF, Common Sense Kids Action and Privacy Rights Clearinghouse.
DLA Piper’s Jim Halpert has “a hunch that there will be several enforcement actions announced in the next month or so,” he emailed. “They will target violations of the statute, not new requirements in the AG Regulations.”
More aggressive enforcement could wait until the September deadline for OAL to approve the rules, Carlton Fields’ Christina Gagnier said. The privacy attorney wouldn’t be surprised if the AG sends warning letters this month or announces what companies or industries will be inspected.
Expect the AG “to go after some big fish,” emailed Information Technology and Innovation Foundation Vice President Daniel Castro. Becerra has been champing at the bit to start enforcement, Castro said. “Now they will need to justify the urgency by nailing a hide to the wall.”
Priorities
Becerra probably will first prioritize cases that affect the largest number of Californians or that are egregious violations, Tsukayama said. “I don’t think anybody is particularly interested in going after medium-sized businesses that haven’t had the resources to get everything perfect.” CPRA shouldn’t have a “chilling effect” on CCPA enforcement, she said.
Mid-sized businesses should be concerned about CCPA, Gagnier said. The AG might find it attractive to go after large actors, but those well-financed companies were likely more able to put into place policies to comply, she said. Gagnier fears some companies might have waited to complete compliance until the last minute, thinking the legislature might scale back CCPA, she said: “That’s not going to happen.” Many companies might have written policies but not the mechanisms to respond meaningfully to consumers’ CCPA requests, she said.
Expect the AG to look for an "early win" by focusing on practices that cause harm, said Software and Information Industry Association Senior Director-Technology Policy Sara DePaul. Based on the AG’s public statements, he probably will focus on egregious offenses, especially those that include children's data, she said. They are more likely be violations of the law, which has been “set for some time,” rather than the AG’s still-to-be-approved rules, said DePaul.
SIIA General Counsel Chris Mohr predicted “a considerable amount of thought given to the strength of the case.” The AG may want to avoid actions that seem more likely to be challenged on First Amendment grounds, said Mohr, saying he hopes Becerra won't “waste time” on potential offenses under the statute that his draft ruled or CPRA clarified as permissible.
Early actions will likely be based solely on the law, but Shelton Leipzig cautioned that Becerra’s office said “many of the regs are actually derived from the actual statute.” That may signal “enforcement activity based on the statute really isn’t any different than enforcement activity based on the regs.”
Public attention to July 1 enforcement could inspire another round of class-action lawsuits this fall, though the number might be tempered by COVID-19, said Gagnier. Enforcement starting “will absolutely have an impact on litigation,” predicted Shelton Leipzig. She already has seen more than 55 class actions filed, with about one-third seeking recovery for direct violations of CCPA, she said. “That number is only going to scale higher as soon as this enforcement period begins,” due to “heightened attention around the law.”
ITIF’s Castro predicts many suits. “One of the big unanswered questions is how exactly the notice-and-cure provisions will work and how courts will interpret the adequacy of responses,” he said. “Privacy lawyers will not be hurting for business.”