Privacy Act Rules: Business Needs More Time to Comply

The California Chamber of Commerce is urging the Attorney General to delay the enforcement date for regulations implementing the California Consumer Privacy Act (CCPA).

The CCPA requires business owners to be in full compliance by July 1 of this year, but there are no regulations with which to comply.

The Attorney General posted the second draft of the regulations on February 10, seeking comments for 15 days. Under the typical regulatory timeline (see below), it will be at least another 30 days, plus time for the Attorney General to review the comments received, before a final regulation can be in place.

As CalChamber Policy Advocate Shoeb Mohammed pointed out in a Capitol Insider blog post this week: “The rushed compliance timeline means that a beauty salon owner who is ready to pay her lawyer to make sure she’s following the rules can’t do it today. It means the real estate agent who is ready to pay her web designer to update her website to follow the new rules can’t do it today. Why? Because there are no regulations to comply with.”

He adds, “…the CCPA’s high pressure timeline is as unfair to our AG as it is to California’s business owners. CCPA deprives the AG of the time he needs to develop a stable and predictable set of regulations.”

The newness of the regulations means it will take time for lawyers and business owners to digest the law and build compliance into their daily practices.

For this reason, business owners and the CalChamber are asking the Attorney General to find a way to delay enforcement until January 1, 2021. If the Attorney General is willing to hear California business owners on this issue, everyone will benefit from the additional time.

Issues of Concern

In its letter submitted to the Attorney General this week, the CalChamber identified the following among key sections of the regulation still in need of clarification or change:

• handling of requests to opt out;

• notice of financial incentive;

• responding to requests to know and requests to delete data;

• definitions that affect how businesses will comply with the act;

• how notices are provided when information is collected;

• training/record keeping;

• consumer requests to opt in after opting out of the sale of personal information;

• process for verifying/authenticating consumer requests;

• presentation of privacy policy;

• requirements for service providers; and

• notice of right to opt out of sale of personal information.

Process

After the comment period that ended February 25, the Attorney General will go back and review the regulations to decide whether to incorporate any feedback received through the comments, then edit the regulations accordingly.

Next, the Attorney General must decide whether to open the third draft up for more comments or submit his regulations to the Office of Administrative Law (OAL) for review.

Once the regulations are submitted to the OAL, the OAL will either reject or approve them. This process generally takes 30 days.

If the rules are rejected, the Attorney General will have to edit and resubmit them to the OAL. This process is repeated until the regulations are approved.

After approval, the regulations can finally be enforced. Unless the enforcement date is delayed, the Attorney General will begin enforcing the new regulations against California business owners on July 1.

More Lead Time

Generally, when sweeping regulations that affect all industries take shape, business owners need some lead time to get adjusted and follow the rules. But right now, the regulations business owners need to follow are still not finished.

The only person who has the power to forgo enforcement at this stage is the Attorney General himself. Business owners are hopeful that the Attorney General is willing to work together on this issue, delaying enforcement until January 1, 2021.

Staff Contact: Shoeb Mohammed