Businesses spent the latter months of 2019 working hard to prepare for the January 1, 2020 implementation of the California Consumer Privacy Act (CCPA). Months later, those businesses still are uncertain of their full range of potential compliance obligations because the California Attorney General’s (CAG) CCPA implementing regulations are still not final. As businesses refine their CCPA compliance programs, they should also be aware that privacy rules in California could again change before the end of this year if the California Privacy Rights Act (CPRA) ballot initiative is approved by voters.
Both the CAG draft regulations and the CPRA are subject to complicated administrative processes that could affect their adoption and implementation, as described below.
The CAG appears committed to begin enforcing the CCPA starting on July 1, 2020—the date on which the statute authorizes enforcement to begin—despite not yet having finalized the key compliance obligations that will arise only from the regulations. Before the regulations can be implemented, the CAG needs to submit a final version to the California Office of Administrative Law (OAL) for its approval.
The California Attorney General accepted comments on the second set of modified draft regulations (the current version) until March 27. This means that a new set of modifications could be released publicly sometime soon for another round of comments or the CAG could submit the current version for approval and finalization by the OAL.
According to information published by the OAL, If the CCPA regulations were to be finalized by May 31, they would take effect on July 1. However, if the finalization occurs in the window of June 1-August 31, normal process would dictate that the regulations take effect on October 1 (which is after the CCPA’s enforcement deadline). This timeline assumes that the OAL would be subject to a limited 30-day window to review the CAG’s final regulations.
A recent executive order by the California Governor Gavin Newsom—in response to the COVID-19 pandemic—has extended the OAL’s timeframe for approving draft regulations by an additional 60 days. This extension may have the effect of lengthening the time it takes for the CCPA regulations to be finalized.
California Privacy Rights Act
While some obligations arising under the CCPA are subject to change when the CAG’s regulations become final, a new ballot initiative—the CPRA—could significantly amend and expand the CCPA. The CPRA is a ballot measure created by Californians for Consumer Privacy, led by co-founders Celine Mactaggart and Alastair Mactaggart—the CCPA’s chief architect—to create new privacy obligations and re-introduce some of the CCPA’s more restrictive measures that appeared in a 2018 ballot initiative.
As was originally intended for the 2018 ballot initiative, the CPRA would be presented to California voters for their adoption of the ballot measure, rather than passed through the legislative process. To place the CPRA on the November 2020 ballot in California, Californians for Consumer Privacy needs to gather the signatures of 623,212 California voters who support the initiative.
This week, Californians for Consumer Privacy announced that they are submitting over 900,000 signatures to qualify the CPRA for the November 2020 ballot. This suggests that the group is confident it has gathered the 623,212 valid signatures required to place CPRA on the November 2020 ballot. The signatures gathered by Mactaggart’s group still need to be counted and verified by CA election officials (a process that can take 38 working days, or longer in some circumstances). Given that the deadline for the Secretary of State to certify that ballot initiatives have received the required number of signatures is June 25, 2020, Mactaggart has barely left enough time for this process.
The large number of signatures submitted by Mactaggart suggests there is a good chance he has gathered enough signatures to place the CPRA on the November ballot. However, if the random sampling verification process indicates that the number of valid signatures is within a narrow margin of the required threshold (i.e., less than 110% of the required number), the June 25 deadline would likely pass before the verification process could be completed. If that occurs, the CPRA would be left off the ballot.