Businesses Brace for Impact as CCPA Takes Effect
Businesses entered the new year with questions about the California Consumer Privacy Act that took effect Wednesday, privacy attorneys told us this week. California Attorney General Xavier Becerra (D) has until July to develop rules and start enforcing them, but CCPA is now law with enforcement to look back to Jan. 1.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Expect the first lawsuits to be filed under CCPA this month, emailed Dorsey privacy attorney Jamie Nafziger, whose firm has been getting ready to defend businesses from class actions that could yield $100-$750 in damages per prevailing plaintiff. More states could pass privacy laws in 2020, predicted Covington's Libbie Canter.
The regime's authors defended the law in Thursday statements to us. It's “a major shift in how many do business," said California Senate Majority Leader Bob Hertzberg (D). "There will be growing pains, but the intent is for businesses to do their best to follow the proposed regulations. Following the CCPA to the letter of the law is the right thing to do."
Assembly Privacy Committee Chairman Ed Chau (D) noted that "it may take some time to get accustomed to the newly created law." Implementation previously was delayed for a year, he added. "Compliance ultimately comes down to how it applies to specific business models, procedures developed for compliance, and enforcement" by the AG.
“The internet is not going to crash” and small businesses won’t die from CCPA, said Kevin Baker, American Civil Liberties Union California director-Center for Advocacy and Policy. Despite doomsaying from industry, “companies have spent a good deal of time and energy and money ... preparing themselves to come into compliance, and I fully expect that every responsible company will be in compliance as of the effective date.” While covering only Californians, CCPA has national effects because “most companies find it more convenient and economical to not try to segregate out who is a California consumer,” and “most companies don’t want to be seen as treating people’s privacy differently based on what side of a state line they belong,” he said.
Industry Concern
Despite assurances, industry lawyers are concerned.
“It’s been a crazy rush to the finish line for clients trying to implement the draft regulations before January 1,” emailed Wiley Rein’s Joan Stewart. The firm blogged about CCPA compliance Thursday. Becerra’s recent statement that enforcement starting July 1 will look back to Jan. 1 is a big concern because it means "companies are having to implement the law based on draft regulations” that “added new elements not contemplated in the statute.” Draft rules failed to clarify other parts of the law that perplexed businesses, she added. The AG received about 1,700 pages of comments on proposed rules last month (see 1912160047).
This regime remains complex and ambiguous, which will likely produce “a vast variety of interpretations as businesses attempt to parse not only the textual meaning of the law but also the practical impact on their information collection and usage practices, both online and offline,” Nafziger said. Businesses are “in a state of limbo,” the lawyer said. “To comply with the regulations now may entail hefty revisions later on, eating up time and money. ... Waiting to comply, however, may plunge companies into a state of urgency." Nafziger sees among businesses "a ‘wait and see’ approach that we think will continue to characterize CCPA efforts over the next several months, as businesses evaluate what becomes the de facto ‘industry standard’ and potentially move toward a compromise position as they wait for the final regulations.” Many companies will wait to complete compliance efforts until after the AG finalizes rules, while some are “agreeing to move forward as a group with certain interpretations of the law,” she said.
“A lot of companies took the Jan. 1 effective date very seriously and have tried their best to be compliant or nearly 100 percent compliant by Jan. 1,” said Canter, who has business clients of different sizes: “Everyone will be closely watching for the final rules that the AG issues, and any guidance or statements that the AG makes, because there are a lot of interpretive questions under the statute.”
Without final AG rules, many companies “will probably decide July is the real start date and just implement the easier items before then,” emailed Cowen analyst Paul Gallant. CCPA “will end up benefiting Facebook and Google by putting the heaviest new regulation on the smaller competitors,” he said. “CCPA makes it harder to transfer user data, which smaller advertisers need to do but the largest players don’t.”
The effective date puts “burden on consumers to take action” to protect their privacy rights, but there hasn’t been much public education on how that will work, said ACLU’s Baker. “It will probably start off slowly, and as people become more aware and more knowledgeable about the law works, I think we’ll probably start to see greater use.” Over time, he hopes to "see a change in behavior.”
States and Congress
States and congressional lawmakers are weighing privacy changes of their own.
Washington and Illinois could carry momentum from 2019 to pass privacy laws in 2020, said Canter, noting bills passed one of two chambers in each state. Washington state Sen. Reuven Carlyle (D) plans a revival (see 1911190027). That bill is more like EU’s general data protection regulation, so companies now complying with GDPR may find it easier to follow Washington’s law than California’s, she said. Canter is also watching Connecticut and Hawaii, which last year formed privacy task forces or ordered studies on possible comprehensive privacy laws, she said. New York legislators heard testimony in November on a privacy bill (see 1911220061).
State laws might not greatly affect wording of a national bill, Canter said. Capitol Hill is watching what states are doing, but privacy proposals by Sens. Maria Cantwell, D-Wash., and Roger Wicker, R-Miss., seem “fairly well-formed,” the attorney said.
“The failure of the federal government to lead on privacy -- and on related issues of consumer protection and competition online -- has come into even sharper focus," said Sen. Mark Warner, D-Va., Thursday. States are acting as the FTC keeps stumbling and Congress appears "unable to step up and put in place much-needed guardrails to ensure user privacy and data are protected," Warner said. "These issues cannot be addressed on a state-by-state basis."