No stopping CCPA enforcement deadline, says California AG

The law, which took effect Jan. 1, contained a six-month enforcement delay. A coalition of more than 60 businesses and trade groups led by the Association of National Advertisers asked California Attorney General Xavier Becerra in March to consider an additional six-month enforcement delay to Jan. 2, 2021, due to coronavirus disruptions and two revisions that caused further confusion, but Becerra’s office reiterated its commitment to the planned enforcement date on Monday.

“CCPA has been in effect since January 1, 2020,” wrote Becerra’s office, in an e-mailed statement. “We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”

On June 1, the AG’s office submitted its final CCPA rulemaking package to the California Office of Administrative Law (OAL). Because of disruptions from the pandemic, Gov. Gavin Newsom (D) has issued an executive order extending the OAL’s typical 30-day approval period to 90 days. With the extension, OAL could take until Oct. 1 to approve the CCPA. However, the AG’s office has requested an expedited review, according to an AG’s office spokeswoman, so the law can be enforced starting July 1.

The regulation, which contains provisions on how businesses should handle their customers’ personal information going back to Jan. 1, 2019, is likely to impact a broad swath of companies, including tech giants like Facebook and Google and retailers like Walmart and Amazon.

Earlier this year, Becerra dismissed requests from companies that his office provide a “seal of approval” that would certify that a company’s privacy program met state standards.

“Within such an evolving field, how do you make sure that everyone is conforming to what the seal represents,” Becerra said in a Reuters story. The AG also told Reuters his office will “look kindly” on companies that make a good-faith effort to comply with the law as it begins to be enforced.

An economic impact assessment prepared for the AG’s office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion between 2020 and 2030.

Prepare for class-action lawsuits

While much has been written about the CCPA’s set of rights regarding consumer personal information and the steps businesses must take to respond to consumer requests, less attention has been paid to another portion of the bill which allows consumers to sue businesses directly for mishandling their personal information.

Jon Mendoza, chief information security officer for Technologent, a California-based IT solution provider, said such class-action lawsuits “could be devastating to an organization.”

Already, lawsuits like one filed in February by a California woman against online retailer Hanna Andersson and its e-commerce platform Salesforce could provide a roadmap for future class-action lawsuits. In most states, consumers file data breach complaints with their state attorney general’s office. The state AG then handles the investigation of the complaint, as well as any enforcement action. The CCPA opens businesses up to another level of liability, Mendoza said.

Nevada became the first state to follow California’s lead and passed a privacy bill in 2019 that gives consumers the right to opt out of having businesses store and use their personal information but does not give consumers the right to sue businesses. Legislatures in Washington state and Hawaii are each considering consumer privacy laws.

This trend could create a “patchwork quilt” of state consumer privacy laws that businesses would have to comply with, Mendoza said.

“We’re talking about the possibility of 50 different state regulations,” he said. “There needs to be a national privacy act.”