In almost two months, the California attorney general’s office will start enforcing the state’s new privacy law that went into effect Jan. 1. But for businesses that are adjusting their models for the economic downturn brought on by the coronavirus pandemic, one critical issue still remains at the center of compliance: what exactly the regulator’s rules for enforcement will be.
So far, Attorney General Xavier Becerra’s office has released three drafts detailing how he will interpret key provisions in the California Consumer Privacy Act, which gives state residents the right to opt-out of the sale of their personal information and also request to see the data collected about them from companies that meet specific revenue and collection thresholds. However, until the state regulator hands down his final recommendations and definitions, consultants, business groups and attorneys say companies under the purview of the law are left in limbo over whether their current operational systems are good enough to avoid fines or other enforcement actions.
“It’s an impending fear that if we’re going to be facing enforcement starting July 1, right now in the middle of this crisis, we need to be spending money on lawyers to comply with those rules,” said Shoeb Mohammed, a policy advocate for the California Chamber of Commerce.
Currently, the California privacy law lays out a few different models or tools for how companies can comply with certain aspects of the statute. But Becerra’s rules are expected to narrow down those options, leaving some businesses scrambling to adjust their systems accordingly, according to Mark Brennan, a partner in Washington, D.C.-based law firm Hogan Lovells’ privacy and cybersecurity practice. Without specific guidance from the state regulator’s office, Brennan said companies are eagerly awaiting for any piece of information, announcement or statements about implementation and enforcement.
Becerra’s office is expected to release additional revisions to its draft guidelines after it considers a set of public comments that were due March 27. An adviser to Becerra said in a statement that the office is still “committed to enforcing the law starting July 1” and encouraged businesses to be mindful of data security during the public health emergency.
While companies and business leaders expected to have lingering questions about how the attorney general would interpret key provisions, few were prepared to weather the issue during a global pandemic that has caused many industries to rethink their entire revenue model due to social distancing. And Mohammed said now California businesses are wrestling with how to keep up with the attorney general’s rules as their available resources — like the number of employees and funds for legal assistance — change.
“It’s kind of like trying to hit a moving target with some of those regulations,” Mohammed said. “Other ones, they’ve been consistent throughout the drafts, so businesses have been able to see that and say, ‘OK, this is likely where it’s going.’ But there’s still no final confirmation that this is exactly how it’s gonna look.”
Last month, the CalChamber was among a group of more than 60 industry organizations — including the Motion Picture Association of America, News Media Alliance, Out of Home Advertising Association of America, Association of National Advertisers and the Interactive Advertising Bureau — that signed a letter to Becerra requesting that the enforcement date be pushed from July 1 to Jan. 1, 2021, citing concerns over the COVID-19 outbreak.
But Maureen Mahoney, a policy analyst at Consumer Reports focused on consumer privacy issues, said with many Americans turning to digital spaces to conduct everyday business, it’s more important now to hold companies accountable.
“People should have the confidence that not only companies aren’t selling the data about their calls for advertising purposes, but that these requirements are backed up by law and that it’s not just up to the company to decide whether or not to honor consumers’ privacy rights,” she said.
Jay Cline, PwC’s U.S. privacy services leader, said there were always going to be questions about how the attorney general would interpret the guidelines, and most companies already have mechanisms in place to at least be in compliance with the statute. However, some of his clients have already started to notice a different unintended consequence from CCPA during the outbreak: an uptick in the number of requests from consumers to access their data.
In January, once the law went into effect, Cline said there was a predictable influx of requests from curious consumers who wanted to see what was collected about them, though that interest died down by February. “But as everybody started to come home and work from home and not have anything else to do, and they were doing more shopping online, and those CCPA requests started to increase again,” he said.
Cline also said that additional companies could be subject to CCPA considerations as they adjust their business models, particularly those that were distributors who worked with other business clients or relied on some sort of supply chain that are now turning to a direct-to-consumer model.
“They’re encountering CCPA for the very first time and having to really catch up,” Cline said.
Carl Szabo, vice president and general counsel at NetChoice, an e-commerce trade association that has advocated against the state law, said the funds that businesses will have to dedicate to keep up with the office’s regulations could instead be used to pay workers.
“We’re facing a situation that no generation has ever faced,” Szabo said. “Everything has been shuttered, and sometimes it feels like the California attorney general’s office didn’t get the memo.”