As discussed in my last blog post, the California Attorney General submitted the final regulations for the California Consumer Privacy Act. The regulations now need sign off from California Office of Administrative Law (OAL) who will review, per state law, for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the final regulation is then filed by the OAG with the Secretary of State and becomes enforceable by law.
So what does enforcement mean vis a vis the CCPA and when will enforcement of the CCPA really begin?
CCPA enforcement will be handled by the office of the California Attorney General and businesses will be given a 30 day cure period to fix their CCPA “problems” before facing potential administrative fines. The fines themselves are $2500 for each violation and $7500 for each intentional violation “which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” In theory, the fines could be huge if the violation maps to each consumer (e.g. $2500 times X number of consumers) if the business is failing to meet its compliance requirements across the board. The law also states that businesses may also be subject to an injunction for violations.
And it seems that the California AG is gearing up for enforcement with appropriate staffing and budget. Per this article from MLex:
“Attorney General Xavier Becerra has begun a four-fold expansion of the department’s privacy enforcement team. It is in the process of hiring lawyers and legal analysts and is budgeting money for technology experts who will help it not only enforce CCPA but also to defend the fledgling law from an anticipated wave of court challenges. … Becerra asked the state legislature for funds and has received $4.5 million for ongoing enforcement and defense of the CCPA, funding that will support 23 additional positions, including eight deputy attorneys general, eight legal analysts, six clerical staffers and $250,000 a year for expert consultants.”
In other words, there is some teeth in this law with fines and a team looking to enforce. Probably the one bit of good news for businesses is that they have 30 days to cure a reported problem from the Cal AG office.
CCPA Enforcement Starts Either July 1st (or 2nd) or August 31st or October 1st
As you may recall, the CCPA was signed into law on June 28, 2018, and went into effect on January 1, 2020, but enforcement was dependent on the following clause in the law: “The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
Given that draft proposals of the regulations were still getting feedback as late as March of this year, everything pointed to July 1 as the effective date of the CCPA per the clause in the law quoted above. Note the business community was really pushing hard to have enforcement delayed for at least another year, some asking for even until January 1, 2022 given COVID-19, but the AG made it clear that he was not going to budge on the July 1, 2020 enforcement date.
But COVID-19 has potentially impacted the timeline. Typically the OAL has 30 days to review for procedural compliance, so even though the final regulations were given to the OAL on June 2, then worse case if you add 30 days we were talking about July 2 vs. July 1st. But in light of COVID-19, the OAL now could use an additional 60 calendar days to review under Executive Order N-40-20 signed by Governor Newsom. So in theory it could take 90 days from June 2, or August 31st.
But another effective date is in play — October 1st. This is because regulations in California typically become effective on one of four quarterly dates — January 1 (if filed between September 1 and November 30), April 1 (if filed between December 1 and February 29), July 1 (if filed between March 1 and May 31), and October 1 (if filed between June 1 and August 31) — the fact that it was filed on June 2 could result in an enforcement date of October 1, 2020.
But … the fineprint in the paperwork of the regulation filing by the Cal AG with the OAL asked for an expedited review within 30 days (i.e. bypassing the executive order that provides an extended review period) and also have the filing be effective on the date the OAG files with the Secretary of State vs. wait til the next quarterly date (see screenshot below). So that puts us back to potentially July 1 (by law per the CCPA if the OAL can review within 30 days) or July 2 (if they need the full 30 days).
The point is that businesses should not wait or hope for October 1, they should assume that CCPA enforcement could happen as early as July 1st. It is very likely there will be no advance notice, i.e. a press release will come out from the Cal AG office saying “CCPA is now being enforced effective immediately.” So businesses should be ready ASAP to fully support CCPA.
This is a great segue to an upcoming blog post, which compares enforcement with GDPR, CCPA and version 2.0 of the CCPA — the California Privacy Rights Act (CPRA) that will likely make the ballot in November in California.