In the face of calls for a federal consumer privacy law, California took another step toward filling this gap at the state level. The California Attorney General (AG), Xavier Becerra, released new draft regulations clarifying and expanding the California Consumer Privacy Act (CCPA) the day before the governor approved seven amendments to the law. The AG also released a Notice of Proposed Rulemaking and an Initial Statement of Reasons. These regulations are the result of seven public forums and over 300 written comments received during the AG’s preliminary rulemaking activity.
The AG’s draft regulations cover five key areas:
- What information must be covered when companies provide consumers with notice and how that notice must be delivered (Article 2);
- How companies are to respond to consumer requests exercising their right to know or right to delete (Article 3);
- The varying standards for verifying consumer requests depending on the type of request received, the type of personal information involved, and the company’s relationship to the customer (Article 4);
- How the CCPA’s treatment of minors’ personal information differs from the treatment under the federal Children’s Online Privacy Protection Act (COPPA) (Article 5); and
- How companies are to apply the CCPA’s non-discrimination provisions (Article 6).
The ultimate impact of the CCPA and these regulations are now becoming clearer. According to an economic impact assessment prepared for the Attorney General’s office, the law is expected to cost companies a total of up to $55 billion in initial compliance costs, nearly 2% of California’s 2018 gross state product. Additionally, the California Department of Finance estimates that compliance costs could range from $50,000 to over $2 million for larger companies that “heavily exploit personal data.” These costs do not come without benefit: the AG’s office calculates that the regulations will produce $12 billion annually in total statewide benefits.
However, the regulations’ release has also renewed concerns about the CCPA and state privacy laws generally. The Interactive Advertising Bureau, a trade association for digital advertisers, expressed concerns about the risk of “unnecessary costs to innovation, content development, and general services that could be devastating to small and mid-size California businesses, including potential job losses.” Similarly, in a recent op-ed, Michael Beckerman, the head of the Internet Association—a trade group that includes Amazon, Lyft, and Facebook—reiterated that a patchwork of state laws creates headaches for businesses seeking to comply and a false sense of security for consumers who may think that a law like the CCPA applies to them.
Even regulators and business that may not be directly affected by the law are likely monitoring its impact as numerous states have proposed their own versions of the CCPA. Some of these laws go further than the CCPA and its regulations by, for example, allowing for a private right of action for any violation. In the case of New York’s proposed Senate Bill S5642, the bill also includes fiduciary duties for companies, requiring them to “act in the best interests of the consumer, without regard to [their own] interests” when processing consumer information. And for states that have yet to consider consumer privacy legislation, the feedback provided in the CCPA’s rulemaking process will likely inform their efforts moving forward.
The AG’s office is collecting written comments by mail or by email on or before December 6, 2019, at 5 PM. Additionally, the office is holding four public hearings across California in early December. While the CCPA takes effect on January 1, 2020, the AG has until July 1 to adopt regulations and to begin enforcement actions. While the ultimate state of consumer privacy legislation is still up in the air, California’s new regulations paint a vivid picture of what the future may entail.