Friday, August 28, 2020

Rules Implementing California's Privacy Law Now in Effect

In an August 14 press release, California Attorney General Xavier Becerra announced that, at long last, final rules implementing the California Consumer Privacy Act (CCPA) had been approved, with some "unexpected" revisions, by the Office of Administrative Law (OAL). They became effective immediately.

As I wrote previously on the Free State Foundation blog, at one point it seemed likely, at another conceivable, that administrative hurdles would delay those rules until October 1.

January 1 was the effective date of the CCPA, but the AG was barred from enforcing its provisions until July 1. Press reports indicate that his office began notifying businesses of non-compliance on day one.


The CCPA affords businesses receiving such notices 30 days to cure alleged violations before formal enforcement activity, whether a confidential investigation or a lawsuit, can commence. Dozens of such investigations reportedly are underway. To my knowledge, however, to date no suits have been filed.

According to Stacey Schesser, Supervising Deputy AG, that first round of notices was driven by complaints received from consumers, targeted online businesses operating across a range of industries, and focused on those that allegedly either (a) had not made available mandatory disclosures, or (b) had failed to add a "Do Not Sell My Personal Information" link to their websites.

Previously, the Attorney General had indicated his intention to prioritize violations impacting minors and other vulnerable groups.

Now that the implementing rules are in effect, we should expect the AG's office to begin enforcing them, as well.

In an April 30 Perspectives from FSF Scholars, I noted that a group of over 60 affected businesses in March wrote to AG Becerra requesting that he forbear from enforcement until next January in light of the serious economic fallout from the COVID-19 public health crisis. He declined, and in the press release announcing OAL's approval of the rules, argued instead that "[a]s we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security."