California Attorney General Xavier Becerra announced Tuesday that his office has submitted proposed final regulations under the California Consumer Privacy Act to the state's Office of Administrative Law.
The attorney general's office has requested an expedited review of the regulations by OAL, which will have 30 working days and 60 additional calendar days to process the regulations for compliance with the Administrative Procedure Act. Following OAL approval, the regulations will move to the Secretary of State and become enforceable by law.
The Privacy Advisor reached out to Becerra's office for comment, and they referred us to Tuesday's news release.
"The California Consumer Privacy Act, which gives consumers choice and control over personal information in the marketplace, is game-changing and historic," Becerra said in a statement. "Our regulations provide businesses and individuals with guidance on how to protect that choice and boost transparency, while continuing to unleash innovation."
Becerra added that businesses have been given ample time to work on CCPA compliance, which has his office "committed to enforcing (the law) starting July 1."
Enforcing the proposed regulations, however, may take on a different timeline.
Hurdles remain for the attorney general's office to get to the finish line by July 1. While the office has requested its review be bumped to the front of OAL's docket, DLA Piper Partner Jim Halpert said granting such a request isn't a given with a backlogged line of 64 other reviews.
"It's not clear that OAL would actually be able to move forward and do this," Halpert said, adding that OAL has received two additional emergency requests in the last week. "There are some interesting legal questions on the authority the attorney general's office has to do some of the things they are going to be doing. It requires some legal analysis."
Even if the attorney general's office has its request granted, Halpert foresees the 60-day time frame as a more likely scenario for OAL to complete a review. In that case, the attorney general might then need to file a request to have the regulations take effect upon OAL approval since it falls outside the standard quarterly enactment dates.
The most noteworthy part of the much-anticipated submission was the proposed final regulations were largely unchanged from the prior draft released in March. The filing includes the Final Statement of Reasons discussing every modification made to the regulations since their January introduction. Additionally, there are more than 500 pages of summaries and responses for every public comment submitted during the drafting process.
"The positives here are that the concepts are not new and the positions of the consumer advocates and industry on such controversial areas as whether cookies on a website are 'sales' under the statute have been clarified," Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, said.
Halpert attributed the lack of changes to a busy time for the attorney general's office in recent months but indicated there may have been a level of satisfaction with where the regulations stood.
"It's clear there was a lot of work done refining these since they issued two different versions in pretty rapid succession while trying to strike a balance," Halpert said. "Clearly they decided to stop where they were in March. It's just a little unfortunate this is coming out a month later than expected."
The move to finalize the regulations without substantial changes won't be welcomed by all. General clarity within the regulations' text is one point of contention that remains, according to Baker McKenzie Partner Lothar Determann.
"Most businesses are overwhelmed by the complexity and excessive word count of the statute — more than 10,000 words — and regulations — more than 11,500 words," Determann said. "Few have the resources to read and understand — let alone comply with — the CCPA and its regulations, particularly since this is only one of dozens of privacy laws in one of 50 states from one in 192 countries."
Hintze Law Managing Partner Susan Hintze, CIPP/US, CIPT, FIP, sees potential discrepancies arising from unaddressed holes or omissions within the regulations. Among the unresolved issues is an unclear definition for deidentified personal information.
"The definition in the CCPA is still contradictory," Hintze said. "Guidance on a definition aligned closer with the (EU General Data Protection Regulation) definition of pseudonymous data would be helpful and incent reducing the use of directly identifying data."
Hintze also mentioned potential outstanding issues with ambiguities on definitions pertaining to the advertising industry, interpretation of a household, and a proper understanding of how to handle deletion and access requests for unstructured data.
As far as what enforcement will look like upon final approvals, Halpert expects new requirements within the final regulations will be somewhat overlooked in favor of those in the statute of the law. However, with the attorney general's thought process unclear, Shelton Leipzig said companies need to be as prepared as they can be for the unknowns that lie ahead with enforcement.
"Given California’s propensity for consumer litigation, the advent of the attorney general's enforcement will most certainly usher in more consumer litigation, as well," Shelton Leipzig said. "The wait-and-see strategy is not advisable at this juncture."
Photo by Joshua Sukoff on Unsplash
