Landmark CCPA Becomes Enforceable: Five Process Lessons for Policymakers
Tomorrow the California Attorney General (AG) will begin enforcement of the California Consumer Privacy Act (CCPA). This marks a significant moment in the history of American consumer privacy protection; however, the CCPA’s journey to enforceability has been far from smooth. In 2018, the CCPA was rushed through the legislative process with little opportunity for stakeholder input, in part to head off an alternative ballot initiative. Left with a hastily drafted law containing both technical errors and ambiguities, the AG’s Office has completed admirable, painstaking work soliciting and responding to hundreds of comments from interested parties to formulate regulations that clarify and implement the Act. Unfortunately, the AG’s final regulations and statement of reasons were not publicly released until June 2 of this year, well after the Act’s effective date and less than a month prior to the official enforcement date. What’s more, the validity of these proposed regulations is still uncertain, as California’s Office of Administrative Law has yet to determine whether they comply with the California Administrative Procedure Act.
The impact of the CCPA on consumer privacy interests in the U.S. cannot be overstated, and the law’s substantive rights and obligations are informing ongoing conversations around privacy protections at both the state and federal levels. However, policymakers considering new approaches to the protection of consumer privacy should also assess the circumstances and procedural history underpinning the development and implementation of the CCPA. Five important lessons can be drawn from the CCPA’s journey to enforceability:
1. People want and deserve protections for their personal information
The collection and analysis of information in the modern digital economy has driven important innovations and considerable benefits for consumers and industry alike. However, the United States’ largely sectoral system of privacy protection has also come under stress from expanding digitization and uses of personal information. In response, diverse stakeholders have increasingly sought the enactment of a baseline federal privacy framework that establishes consistent consumer rights and rules for the trustworthy stewardship of personal data.
In recent years, opinion polling has shown that many American consumers feel like they have ‘lost control’ of their data. CCPA co-sponsor Rep. Ed Chau has highlighted this concern, arguing that “California consumers should be able to exercise control over their personal information and should have reasonable certainty that there are safeguards in place to protect against the misuse of their personal information.” As enacted, the CCPA advances important and popular principles for the protection of consumer privacy, including individual rights to access and delete personal information held by companies and accountability measures such as transparency, data security, and rules governing onward transfers of data. The present multi-stakeholder, multi-party support for establishing baseline privacy rights has created a unique “constitutional moment” for consumer privacy that policymakers should act upon.
2. Making compliance a moving target hurts businesses and consumers
In order for privacy legislation to successfully induce pervasive changes in data protection practices, it is necessary to establish clear expectations for organizations in meeting their compliance obligations. However, since the adoption of the CCPA in June 2018, the Act has been amended multiple times and the AG has released three different versions of its proposed implementing regulations that have not been finalized by either the effective or enforcement dates of the Act. Furthermore, a ballot initiative titled the “California Privacy Rights Act” will be voted on in November 2020 that would significantly alter the CCPA yet again. As a consequence, organizations seeking to meet their compliance obligations under the CCPA have been presented with a continually shifting target.
This dynamic has unnecessarily burdened organizations seeking to make early investments to meet their CCPA compliance obligations as these changing requirements may necessitate costly re-engineering of privacy management systems and reformulation of privacy plans and notices. Such compliance burdens are magnified because the CCPA itself is an extraordinarily complex and highly technical piece of legislation that totals over 10,000 words with the AG’s proposed implementing regulations adding an additional 11,000. Furthermore, these costs are falling disproportionately hard on the thousands of small and medium-sized businesses subject to the CCPA as compared to their larger, more technically savvy peers. Finally, enacting a privacy law subject to ever-shifting definitions and substantive requirements is likely to create confusion among individuals of both their rights and how they may be exercised.
Policymakers should recognize that complying with a novel data privacy management regime requires significant costs and investments on the part of covered organizations to map their data holdings, develop tools for exercising privacy rights, update contracts, and meet their obligations for transparency and accountability. Therefore, privacy laws are most effectively set at the national level and should provide for both flexibility and a clear on-ramp to compliance. For example, the European General Data Protection Regulation (GDPR) adopted in April 2016 did not become enforceable until May 2018 in order to give both covered organizations and Member States adequate time to implement its requirements. In contrast, organizations covered by the CCPA face a much murkier path to compliance, with the Act counter-intuitively going into effect 6 months prior to the promulgation of final implementing regulations.
3. Resolve key issues upfront
The ambiguities and confusion over the intent of numerous CCPA provisions that resulted from the hurried enactment of the statute implicated key definitions and core features of the Act. Organizations have repeatedly sought clarity as to the scope of covered data, central definitions such as “sale” of personal information, the responsibilities of service providers, and the content of privacy notices. While many of these questions have been addressed over the course of a protracted rulemaking procedure, this process has not always been consistent. For example, a significant section clarifying the conditions under which Internet Protocol addresses should be considered covered personal information was inserted and then removed between the second and third versions of the draft implementing regulations, leaving organizations reading the proverbial tea leaves as to the significance of this transient language.
Durable and effective privacy laws demand the resolution of hard policy questions by accountable, elected representatives through the drafting process. While shunting-off difficult issues may seem appealing, it can come at the expense of a law’s clarity, credibility, and risks unnecessarily burdening and politicizing regulatory bodies.
4. Rulemaking authority should be narrowly targeted
The CCPA instructs the AG’s Office to “adopt regulations to further the purposes of [the Act].” Taking up this broad grant of rulemaking authority, the AG’s final rules touch upon almost every section of the CCPA, resulting in a document that exceeds the length of the underlying statute. These regulations provide many important clarifications; however, they also contain substantive requirements that are not contemplated by either the text or legislative history of the Act, such as an obligation for organizations to respond to a not-currently existing category “user-enabled global privacy controls.” Whether or not the benefits of these novel requirements exceed their costs, all stakeholders should be concerned if regulatory processes can override the intended scope of privacy protections enacted by legislation and undermine legitimate business practices.
Although broad grants of rulemaking authority can be problematic, there are also aspects of privacy laws that can be strengthened through targeted rulemaking. For example, tailoring rulemaking to specific, technical issues can leverage agency expertise to give effect to a privacy law’s clear rights and requirements. Rulemaking can also be used to periodically update the law to be updated in response to new developments in technology and business practices.
5. Private rights of action are susceptible to specious litigation
The CCPA creates a limited private right of action of up to $750 in statutory damages for claims alleging a breach of private information in violation of an organization’s duty of data security. As the inclusion of a private right of action for privacy violations has emerged as a key sticking point in ongoing efforts to develop privacy legislation, policymakers should pay close attention to how this provision is operating in the CCPA. An emerging body of class action plaintiffs’ suits citing the CCPA have emerged that appear to push the intended boundaries of the CCPA’s specifically delineated private right of action  . For example, some suits have ignored the Act’s “opportunity to cure” provision while others have cited the CCPA for non-data breach causes of action. Such cases demonstrate that even narrowly scoped private rights of action in the privacy context may open the floodgates to speculative, burdensome actions alleging bare procedural violations unconnected from cognizable privacy harms to individuals.
An effective privacy regime relies on rigorous enforcement of consumer rights. However, the nascent experience of the CCPA suggests that enforcement is best carried out primarily by a fully resourced and staffed regulatory entity that can punish bad actors. Such enforcement actions have the added benefit of resulting in clear and transparent orders that can further public understanding of rights and obligations under the law.
The much storied CCPA will enter a new chapter this week as AG Becerra appears determined to commence July 1 enforcement on schedule, despite delays in the rulemaking process and disruptions caused by the ongoing COVID-19 public health crisis. Companies have invested enormous time and resources into complying with the CCPA, with the AG’s own impact assessment estimating a $55 billion price tag in initial compliance costs for California-based businesses alone. The CCPA is a significant and well-intentioned law aimed at empowering consumers and promoting responsible privacy practices; unfortunately, procedural deficiencies threaten to undermine the Act’s legitimacy and effectiveness. Therefore, policymakers considering privacy legislation have much to gain from familiarity with the CCPA’s disjointed procedural background.