CA Consumer Privacy Act: Enforcement Beginning Even Without Official Regulations Codified

The California Consumer Privacy Act took effect Jan. 1, 2020, with official enforcement by the California Attorney General to begin mid-year. The law is supposed to provide residents of California more control over data collected on them, but also provides trial attorneys many opportunities to target businesses.

The authors of AB 375 agreed that the CCPA would need fixes, the Cal Chamber reported. Shortly after it passed, they designated SB 1121 (Dodd; D-Napa) as the vehicle for immediate cleanup of AB 375 and committed to work on bigger problems with the bill during the 2019 session.

The law was modeled after a similar overarching law adopted by the European Union in May 2018, and appears to be a tremendous expensive and time-consuming burden on businesses of all sizes, but particularly small and medium sized businesses, giving attorneys predatory opportunities similar to California’s thriving ADA lawsuit business.

According to John Kabatek of the National Federation of Independent Business California:

• Only about one-third of California businesses are prepared to comply with the CCPA costs.
• An independent analysis conducted for the state Attorney General’s office estimates the initial compliance costs at $55 billion, affecting 75 percent of the state’s businesses.
• Initial compliance costs for affected small businesses with fewer than 20 employees will be about $50,000 per company this year alone. For companies between 20-100 employees, expect double that amount. Those with more than 100-500 employees face $450,000 for the CCPA, and large companies can expect to pay $2 million or more.
• The analysis estimated up to $16.9 billion to comply with the implementing rules over the next decade. These ongoing costs are related to software and website modifications, updated data inventories and collection (as the law fails to define “personal information”), new consumer interface processes to respond to consumer requests, employee retraining, legal counsel, and security protocols.
• The 2019 America’s Top States for Business analysis ranked California #1 for technology and innovation but dead last for “business friendliness” and “cost of doing business.”
• Ironically, while we can’t drop any lower for the business environment, the CCPA will drive down the state’s leadership in technology and innovation as well.

During legislative debate, business groups expressed concerns that the CCPA will likely not only drive some companies out of business, but could end up limiting the ways that consumers of online information, products and services are done.

“Currently, everything from toasters and baby dolls to televisions are connected to the Internet, gathering and using a wide range of information. This technology has limitless possibilities,” Senate Judiciary Committee analysis said. “Industry experts foresee a dramatic expansion in the years ahead with internet-connected household goods, including refrigerators, washing machines, dishwashers, and thermostats.”

“However, along with the promise of ‘Internet of things’ comes serious privacy and security concerns. Corporations are rapidly networking the physical world and gathering data from everything. ”

The California Chamber of Commerce warned that the law is deeply flawed, and was rushed through the legislative process in the summer of 2018 without the benefit of input from numerous crucial stakeholders. They said then and now that many of the CCPA’s provisions are simply unworkable in practice or will result in numerous unintended consequences.

“The limits put on what ‘personal information’ can be gathered are so broadly written that they apply to broad swaths of information that can’t be linked to individuals but that can help businesses develop marketing strategies,” Chris Reed wrote. “The provision banning businesses from the sale of information gathered online is so broad it will make it difficult for businesses to use information that it has gathered directly and legitimately from use of their websites to determine what customized content to provide customers.”

• The NFIB California offered changes that Attorney General Becerra can make to his draft regulations:
  the regulations must be more specific around the definition of “personal information” to clarify that it applies to information reasonably capable of being linked to a consumer. The draft regulations currently require a business to connect any and all disparate pieces of information to respond to the consumer request. This will overwhelmingly costly and time-consuming for a business trying to meet consumer needs and keep its doors open.
• the regulations must clarify that permissible interactive engagement allows small and medium-size businesses to use their limited resources to connect with customers with targeted advertising. This can be achieved by allowing interest-based interface while prohibiting companies from accessing, capturing and storing sensitive consumer information. Greater limitations will devastate smaller enterprises that depends on low-cost internet outreach to reach potential customers.
•  the regulations should err on the side of facilitating compliance rather than catching businesses that unintentionally violate the CCPA. California is already one of the most litigious states in the U.S, we don’t need another cottage industry of lawsuits against business. Furthermore, almost every legal publication and law firm that has commented on the law and the regulations mentioning the lack of clarity and conflicting definitions and provisions.

In an op ed by Julian Canete of the California Hispanic Chamber at Fox and Hounds, he said he was very concerned that the draft CCPA implementation regulations issued by Attorney General Xavier Becerra could disproportionately hurt California Latino-owned businesses. “Many newly formed Latino-owned companies are more vulnerable to substantial new operational requirements, and any new business costs impact these businesses more. Statistically, a report from the California Latino Economic Institute (CLEI) found that while nearly one-quarter of all California firms are Latino-owned, businesses owned by Latinos are smaller and generate less revenue than businesses run by whites or Asian owners.”

Kabatek said, “In response to concerns from small businesses, Becerra noted he will relax enforcement for smaller companies who make an actual effort to comply, yet equivocally stated ‘ignorance of the law is not an excuse.'”