Monday, April 13, 2020

Will Enforcement of California's Privacy Law Precede Final Rules?

Between Easter and quarantine baking, eggs are trending. But do they – or chickens – come first? No one knows for certain. By contrast, the sequential order of rules and enforcement is, or at least should be, noncontroversial. Step one, establish the do’s and don’ts. Step two, target the violators. Not when it comes to the California Consumer Privacy Act (CCPA), however.

The CCPA, which became effective on the first of January, includes language that, on its face, appears to defer the commencement of enforcement. Except that it does no such thing. California Attorney General Xavier Becerra may not initiate enforcement “until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”

No, that’s not a typo. The statute contemplates that the AG might bring action before his office has provided those subject to the CCPA with the necessary clarity that only finalized rules can afford. This is particularly problematic given that those rules will spell out actions that businesses must take in order to be in compliance. Specifically, they will define, among other things, the categories of personal information covered, the processes for submitting and responding to opt-out requests, and the manner in which notices must be provided.

Making matters worse, the AG’s office has indicated that it will consider taking retroactive action – that is, pursuing companies for alleged violations that occur prior to July 1.

Businesses cannot comply with rules that do not yet exist. Nevertheless, and even though the CCPA was adopted back in 2018, the AG’s office did not publish proposed rules until October 11, 2019 – virtually assuring that they would not be finalized by this July. Since then, it has issued two sets of modified rules, on February 10 and March 11. Comments on the latter were due just over two weeks ago. What the next steps are (yet another round of edits?), and how long they might take, currently are not known.

Then, on March 30, California Governor Gavin Newsom issued Executive Order N-40-20, which, in light of the impact of the Coronavirus-related State of Emergency that he declared on March 4, extends “deadlines …related to the filing, refiling, certification and/or review of regulations and emergency regulations … for a period of 60 calendar days to allow state agencies additional time to finalize regulatory changes pursuant to the Administrative Procedure Act.”

As a practical matter, this effectively ensures that, come July 1, entities covered by the CCPA will find themselves in regulatory no-man’s land.

On March 20, a group of 66 trade associations, companies and other organizations wrote to Attorney General Becerra asking that he forbear from enforcing the CCPA until January 1, 2021. They based their request on both the incomplete status of the rules and the general impact of the COVID-19 pandemic.

An advisor to the AG, responding to a request for comment by Forbes, wrote in an email that “‘[r]ight now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first…. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

As Dan Jaffe, Executive Vice President of Government Relations for the Association of National Advertisers (one of the signatories to the forbearance letter mentioned above) recently blogged, “[e]nforcing last minute regulations without giving companies time to adapt their practices accordingly is not right. It is not fair for consumers who expect standard, legally compliant responses from business. It is not fair for businesses who deserve clarity in regard to their obligations under the CCPA.”