Through three rounds of public comments dating to last October, business groups and consumer advocates have pressed Attorney General Xavier Becerra to provide more specifics on how to interpret key terms in the California Consumer Privacy Act, including what constitutes a “sale” of personal information that consumers can opt out of and how to determine the value of consumer data.
But the attorney general failed to deliver this clarity with his final version of the regulations, which in a largely procedural step were sent to the state’s Office of Administrative Law for approval on June 2 and were nearly identical to the last iteration of the rules.
“The aspects of the CCPA regulations that were ambiguous in March when the second set of modifications were issued remain ambiguous today as we approach the enforcement date,” said Reece Hirsch, co-head of the privacy and cybersecurity practice at Morgan Lewis & Bockius LLP.
With the attorney general now having had his final say, “the race is on for businesses to finalize their CCPA compliance efforts by July 1,” when the attorney general is able to begin enforcing the law, Hirsch added.
This sprint will require companies to make judgment calls on several vital issues that the attorney general left somewhat open-ended, including what exactly a digital button that consumers can select to opt out of the sale of their data should look like and whether the exchange of data for advertising purposes qualifies as a sale.
The odds are high that these choices won’t always align with how the attorney general views companies’ statutory obligations, setting the stage for high-stakes clashes as enforcement kicks into gear, experts say.
“I’d imagine that, once the attorney general starts enforcing, there will be a lot of debates and arguments over the trickier definitions in these regulations, which will ultimately eventually lead to more consensus on these issues,” said Mary Stone Ross, who in her past role as president of the advocacy group Californians for Consumer Privacy helped draft the ballot initiative that spurred the enactment of the CCPA in June 2018.
Ross, who now runs her own consulting firm, MSR Strategies, said that she’s expecting the attorney general to be an active enforcer out of the gate. She pointed to his repeated unwillingness to bend to industry calls to delay the enforcement deadline and the way his office “really stayed true to the consumer-focused elements of the law” in the face of “thousands of pages of comments” from the business community arguing that the regulations went too far.
“The final regulations are a very clear signal that the attorney general’s office is going to take enforcement extremely seriously in order to further try to protect consumers,” Ross said.
While companies have had to comply with the CCPA since Jan. 1, and the attorney general is empowered to police alleged violations dating back to then, the upcoming enforcement deadline marks a new phase that ramps up urgency for businesses to ensure their house is in order.
“Companies that came into compliance with the CCPA on Jan. 1 had to follow what the law’s text said, since the regulations weren’t final yet, and now companies are going to need to again assess their baseline CCPA compliance and take stock of how they’re managing things like consumer requests to evaluate how they’ve been doing in light of the regulations becoming final,” said Duane Pozza, a partner at Wiley Rein LLP.
Many companies have already taken key steps such as updating their privacy policies and vendor agreements, given that there’s little debate over how to interpret the law’s core requirements that consumers be able to find out what data online businesses such as Google and Facebook hold about them; to request this data be deleted; and to opt out of the sale of this information, according to attorneys.
The work that largely remains to be done — and where the disputes are most likely to brew — will be over what back-end technical measures need to be in place to ensure that consumers are able to exercise those rights, including building a compliant opt-out mechanism for data sales and ensuring that personal data that might be subject to consumer access requests is properly categorized, attorneys say.
“It will be interesting to see if the attorney general is going to use enforcement as a way of clarifying some of the open issues, like what constitutes a sale of consumer data, and issues big decisions that impact some of the judgment calls that companies are making,” said Jeremiah Posedel, a Faegre Drinker Biddle & Reath LLP partner.
A key to these fights for companies will be to make sure that they’ve thoroughly documented their thought process when it comes to making decisions on these gray legal issues, attorneys say.
“Companies don’t want to be in a position where the attorney general says, ‘Why did you make this decision?’ and they have nothing to support it and are scrambling to remedy it,” Posedel said, adding that he would suspect the attorney general would “take a much harder position” against those companies as opposed to ones that can “communicate their thought process and make a strong argument for why they made that decision.”
Christine Lyon, a partner at Morrison & Foerster LLP, noted that while the final version of the regulations didn’t answer all the concerns raised during the public comment period, companies do have a greater degree of certainty about the attorney general’s expectations than when the regulations were in draft form, and the unresolved issues could allow companies some welcome flexibility.
“There are certainly areas where the attorney general could have gone further and where companies wanted more details, but at the same time it’s very hard to create rules that apply across industries, and sometimes flexibility is good for companies,” Lyon said.
Businesses also could glean guidance from the final statement of reasons issued by the attorney general along with the regulations, which provides a deeper dive into the regulator’s thinking as well as responses to the more than 1,000 public comments that were received during the rulemaking process, noted Brian Lam, special counsel in the privacy & cybersecurity practice at Mintz Levin Cohn Ferris Glovsky and Popeo PC.
“This document contains some very important insights into how the attorney general will enforce and interpret the regulations once they’re finally approved,” Lam said.
A potential ballot initiative that would come before California voters in November is also likely to provide greater clarity on many of these disputed issues, according to attorneys.
Californians for Consumer Privacy, the advocacy group founded by real estate developer Alastair Mactaggart that spearheaded an effort two years ago that led the state legislature to quickly enact the CCPA to avoid having the group’s earlier ballot initiative presented to voters, is again building steam for a new initiative that would revamp the landmark law.
The group announced in May that it had collected enough signatures to qualify the California Privacy Rights Act, or CPRA, for the November ballot, and state officials have until June 25 to confirm whether the initiative qualifies.
Between the coronavirus pandemic and the significant lift required for companies to prepare for the July 1 enforcement deadline, the CPRA has largely flown under the radar for many companies, although that’s likely to soon change, attorneys said.
“The CPRA is an enormous ballot initiative and is so much more comprehensive even than the CCPA, so it’s something that companies absolutely should be paying attention to,” said Bethany Gayle Lukitsch, a partner at McGuireWoods LLP.
The proposed ballot initiative would expand the CCPA in several important ways, including by giving consumers the right to limit the use and disclosure of a new category of “sensitive” personal information and allowing them to opt out of not only the sale but also the sharing of their data. The initiative would also establish the California Privacy Protection Agency, which would replace the state attorney general’s office in enforcing the law.
Because the ballot initiative, if enacted, can’t be easily amended by the legislature like the CCPA could, its passage would essentially establish “an omnibus privacy regulation in California that would be virtually impenetrable, and create a more difficult hurdle for lobby groups and companies that would want to modify any uncertainties that already exist under the CCPA or anything that the CPRA adds,” noted Baker Botts LLP special counsel Cynthia Cole.
Ahead of a hearing that the California legislature convened Friday on the new ballot initiative, advocacy group Consumer Reports asserted that the proposal would “fix some of the problems with the CCPA that companies have exploited, including closing up targeted advertising loopholes, strengthening enforcement and preventing the legislature from weakening the law.”
“At the same time, we have concerns that the ballot initiative introduces new complexities and ambiguities, and explicitly blesses certain loopholes — like allowing service providers to combine data sets,” Maureen Mahoney, policy analyst at Consumer Reports, said in a statement.
Lukitsch, the McGuireWoods partner, predicted that there’s going to be “a lot of attention to the sharing of data and what constitutes a sale” under the CCPA once the initial enforcement phase kicks off next month. The CPRA, which if successful wouldn’t take effect until the beginning of 2023, could potentially resolve this issue by expanding opt-out requests to explicitly include these sales.
The ballot initiative could also help resolve other outstanding issues, including First Amendment issues that have been raised by groups such as the Software & Information Industry Association.
The trade group has argued that the CCPA unconstitutionally interferes with free speech by subjecting information available in the public domain, such as data from registries, directories, news reports and public social media channels, to near blanket rights of deletion. Throughout the public comment process, SIIA repeatedly urged the attorney general to amend the law’s definition of personal information to exclude information is lawfully made available to the general public through “widely distributed media,” as the proposed CPRA does.
Sara DePaul, senior director of technology policy at SIIA, said that the group was “extremely disappointed” that the attorney general failed to make these requested changes in his final version of the regulations.
While SIIA has yet to announce its position on the broader ballot initiative, Chris Mohr, SIIA’s vice president for intellectual property and general counsel, noted that the way the CPRA handles the First Amendment issue would make that proposal “less vulnerable to constitutional attack.”
He also noted that there appears to be an “emerging legislative consensus” in other states and at the federal level that First Amendment issues have to be addressed in order for privacy statutes to pass constitutional muster. This recognition has come through most notably in baseline privacy legislation that has been floated by Senate Commerce Committee Chairman Roger Wicker, R-Miss., as well as similar legislation proposed by Sen. Maria Cantwell, D-Wash., and the proposed CPRA ballot initiative in California.
In a study conducted in February, Holland & Knight LLP found that many companies appeared hesitant to invest heavily in implementing the draft CCPA regulations that were available at the time, due to factors including the still-evolving nature of the rules and the potential for a federal law that could preempt California’s requirements.
But with the coronavirus pandemic stalling most lawmaking efforts and the regulations essentially finalized, these efforts are likely to become even more of a priority for companies, according to Holland & Knight partner Ashley Shively.
“With the enforcement deadline coming up, there’s an urgency again that will need to be balanced with emergent pandemic-related issues, including the privacy issues that are going to come up in connection with reopening companies in the coming months,” Shively said. “It’s going to be a struggle for everyone.”