The California Consumer Privacy Act (CaCPA), which was signed by then-Governor Jerry Brown on September 23, 2018, contains three key dates relating to compliance and enforcement.
- The first is the effective date – January 1, 2020.
- CaCPA created a separate date for when enforcement could begin by the Attorney General which was “six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner. Since the Attorney General has not finalized the regulations, in fact, a third draft was released on March 11, 2020, July 1 becomes the operative date for enforcement.
- Finally, once the enforcement era beings, a business is not in violation until of CaCPA until it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance (Section 1798.155(b)).
With the prospects that the regulations may not be finalized until just before the enforcement deadline, in January the leading advertising industry associations – the American Association of Advertising Agencies, the Association of National Advertisers, the American Advertising Federation, the Interactive Advertising Bureau and Network Advertising Initiative urged Attorney General Becerra to delay enforcement until six months after the regulations are finalized. The Attorney General refused to respond.
On March 17, 2019, a coalition of 31 companies including the advertising associations, CalChamber, California Cable & Telecommunications Association, California Retailers Association, CompTIA, Internet Coalition, TechNet and UPS, wrote to Becerra and again urged a delay in enforcement since the regulations were not finalized and final compliance efforts would occur amidst the current COVID-19 crisis.
Developing innovative business procedures to comply with brand-new legal requirements is a formidable undertaking on its own, but it is an especially tall order when there are no dedicated, on-site staff available to build and test necessary new systems and processes.
Influential Santa Clara School of Law Professor Eric Goldman also called for a delay.
Due to illness or layoffs, some businesses will not have employees available to implement the new requirements. Furthermore, businesses across the state are under extreme financial stress due to the imminent state-wide economic depression; and many businesses have seen their customer base virtually dry up overnight, making it challenging for them to meet the expenses like rent and payroll needed to keep the lights on.
In the face of the unprecedented public health crisis, many businesses will need adequate time to manage the logistics, and absorb the expenses, of complying with the DOJ’s regulations. Forcing businesses to incur additional compliance expenses, on a super-tight timeline, will hurt everyone.
The Attorney General, however, was unmoved, as an aide explained
Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.
This statement about enforcement before July 1 and a similar statement made that the Attorney General would look back to January 1, 2020 for compliance are contradicted by the statute. There is no way the Attorney General can enforce CaCPA before July 1, 2020, In addition, while the Attorney General may look to compliance shortcomings from January 1, 2020 forward, there is no violation unless the target fails to cure within 30 days.