latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/businesses-grapple-with-ambiguity-of-calif-privacy-law-as-enforcement-nears-59030234 content esgSubNav
Discover more about S&P Global’s offerings
In This List

Businesses grapple with 'ambiguity' of Calif. privacy law as enforcement nears
Podcast

MediaTalk | Season 2 | Ep. 29 - Streaming Services, Linear Networks Kick Off 2024/25 NFL Showdown

Podcast

MediaTalk | Season 2 | Ep. 27 - College Football Preview & Venu Injunction

Podcast

Next in Tech | Ep. 181: Lighting up Fiber

Podcast

MediaTalk | Season 2 | Ep. 26 - Premier League Kicks Off


Businesses grapple with 'ambiguity' of Calif. privacy law as enforcement nears

While California Attorney General Xavier Becerra has committed to begin enforcing the state's new privacy law on July 1, some businesses are scrambling to comply with a law that may not have final regulations in place when enforcement begins.

The proposed final regulations are meant to provide guidance to businesses for how to comply with the law, but a scenario is emerging where the attorney general could begin enforcement before the final regulations are approved. Legal experts warn this could cause great uncertainty for some businesses attempting to comply with the law.

"It's just an incredibly challenging environment for business," said Adam Connolly, a California-based partner who advises clients on privacy at the law firm Cooley LLP, in an interview.

Connolly says his clients are frustrated with the challenge of figuring out how to comply with "this 10,000-word, poorly-drafted statute with lots of ambiguity."

"They are rightly concerned that they may be held to requirements of the regs before they're totally in effect," he added.

The California Consumer Privacy Act, or CCPA, promises to implement a range of new privacy requirements that will compel companies across industries — including major tech companies, such as Facebook Inc. and Alphabet Inc.'s Google LLC — to give consumers more access and control over their data. The law, which took effect January 1, stipulates that the attorney general shall not bring an enforcement action until July 1.

SNL Image

Among other provisions, the CCPA will give consumers the right to opt out of having a business sell their personal information to a third party. The law will also let them know why a company wants to collect their data, among other provisions.

On June 2, Becerra announced he had submitted proposed final regulations to the California Office of Administrative Law, or OAL, for approval. He asked the office to complete its review of the proposed final regulations within 30 business days, citing the law's July 1 enforcement date.

The OAL typically has 30 working days to review proposed regulations, according to legal experts, but because of an executive order related to COVID-19, the office has an additional 60 calendar days, if needed.

After an OAL review, regulations must also be filed with California's secretary of state to become effective. Generally, any regulations filed with the secretary of state between June 1 and Aug. 31 would become effective Oct. 1, but earlier effective dates can be enacted if good cause is demonstrated.

Despite the uncertainty surrounding the final regulations, Becerra's office stated in a June 2 news release that the law "will be enforced starting July 1, 2020."

Some feel that because there were multiple drafts of the proposed regulations, they have enough of a sense of the regulations to attempt compliance.

"I think our view and our clients' view was that you should comply with the regulations as they stood probably by the second iteration and that we weren't going to get a whole lot more clarity until enforcement started," Jennifer Daniels, a partner at law firm Blank Rome LLP who works with clients on privacy compliance, said in an interview.

"I think many organizations, their view was ... we're going to make a good-faith effort and hope that, if, for some reason, we were the ones in the cross-hairs come July 1, that the attorney general's office would work with us because we had made a good-faith effort," added Daniels.

Connolly agreed, to an extent, saying the proposed regulations are the best source of guidance for those looking to comply with the statute, but noted that it is difficult to decipher where to draw the line between interpretation of the statute and promulgation of new rules.

"Businesses don't know how the AG will look at that divide and how much of what's in the regs will be things that the AG will expect you to have done by Jan. 1 [when the law took effect]," said Connolly.

Both Daniels and Connolly agree that Becerra has the authority to begin enforcement July 1; however, Connolly believes any enforcement that proceeded the regulations would be "complicated" and open "avenues of attack" for those resisting enforcement.

For his part, Becerra previously said that during the first six months of 2020, his office will monitor companies that handle large amounts of sensitive consumer data, such as health records and social security numbers. His office reportedly will also prioritize a provision of the law that mandates parental consent to sell personal information of customers under 13 and that requires "explicit consent" from customers between 13 and 16 years old.