The CCPA can be enforced as of today – what does that mean, and where does it leave us?

Today is the first day that the California Attorney General (AG) is authorized to bring enforcement actions under the California Consumer Privacy Act (CCPA). It marks the start of what is likely to be an evolving process of privacy enforcement in California as the AG and the courts interpret the law for the first time, and while the status of the law itself remains in flux over the next few years.

How did we get here?

• In 2018, Californians for Consumer Privacy were set to have their original version of the CCPA appear on the November 2018 ballot, but after negotiations with the California legislature, a compromise version of the CCPA was quickly passed into law.
• In 2019, the AG solicited initial input on CCPA regulations, both in writing and through hearings around California, and published the first of four versions of the regulations. At the same time, the legislature passed amendments to the CCPA, and Californians for Consumer Privacy introduced a new ballot initiative, the California Privacy Rights and Enforcement Act of 2020 (CPREA).
• So far this year, the CCPA went into effect on January 1st, and the AG has produced three different versions of the regulations – two modified drafts and final proposed regulations. Californians for Consumer Privacy succeeded in qualifying their new initiative for the November 2020 ballot, now updated and re-named the California Privacy Rights Act of 2020 (CPRA).

Where does that flurry of activity leave us today?

• The CCPA itself has technically been in effect since January 1, 2020. Private litigants have been taking advantage of the CCPA’s limited private right of action for alleged data breaches since then, but those lawsuits have not affected ad-tech companies to date because the kinds of pseudonymous information ad-techs generally use are not subject to the private right of action.
• Not until today, however, is the AG authorized by the CCPA to start bringing enforcement actions. That means, for example, that the AG may now bring a civil enforcement action for a business’s alleged failure to respect a California consumer’s request to opt out of the sales of personal information, or a service provider’s alleged failure to adhere to the strictures of their contracts. Such enforcement actions could result in fines of $2,500 for each violation or $7,500 for each intentional violation. AG Becerra has indicated that his office may bring enforcement actions for violations alleged to have occurred since the CCPA’s January 1 effective date.
• After a business has been notified of alleged violation(s), that business has up to 30 days from the time of notice to cure the violation before being subject to an enforcement action and/or fines.
• Although the AG proposed final regulations on June 1, those regulations are not yet directly enforceable because they have not yet been approved by the California Office of Administrative Law (OAL). For example, it’s possible that controversial language governing conflicts between local and global “do not sell” signals that appear in section 999.315(d)(2) of the final proposed regulations, but not the CCPA, may not be enforceable until the OAL approves the regulations.

What are the next steps in this evolving process?

• As of June 1, the OAL had 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review, approve, and file the AG’s final proposed CCPA regulations to make them effective. By my count, that means the OAL could make the regulations effective and enforceable any time between today and September 12, 2020. Or, the OAL could reject the proposed regulations for non-compliance with California’s Administrative Procedure’s Act.
• California voters appear likely to approve the new CPRA ballot initiative this November. The CPRA, if approved, will significantly overhaul the CCPA and shift enforcement and rulemaking from the AG to a new California Privacy Protection Agency. The CPRA would take effect on January 1, 2023.

It has been difficult to track, much less plan compliance with CCPA developments over the last 18 months in the midst of legislative amendments, evolving proposed regulations, and Californians for Consumer Privacy’s second foray into direct democracy to alter the longer-term outlook. Regardless, businesses should expect to see the AG bringing enforcement actions under the statute in the near future, while remaining flexible in planning for new requirements under the final proposed regulations later this year, and under the CPRA in 2023.