The California Consumer Protection Act: Will It Ever Be Enforced?

On January 1, 2020, California’s sweeping Consumer Privacy Act (“CCPA”) took effect, sort of. The CCPA’S scope and application were criticized from the get-go, but there was hope that the California Attorney General’s office would promulgate regulations to provide clarity and perhaps limitations to some of the law’s reach and remedies. In October 2019, the AG’s office issued its first draft of those regulations and, like the CCPA itself, the regulations seemed to generate more questions than answers. The AG’s office held several state-wide hearings for interest groups to voice concerns and raise questions. The Los Angeles hearing revealed much angst from many in the financial services industry and a fear of waves of litigation (including a concern that the CCPA might eventually spawn crippling representative actions similar to Private Attorney General Act (“PAGA”) lawsuits for wage-and-hour violations). On February 7, 2020, the AG issued modified draft regulations, with a written comment deadline of February 24, 2020. On March 11, 2020, the AG issued another set of modifications, with a March 27 comments deadline. As of the date of this writing, the AG has not issued its final regulations. Under the CCPA’s current language, the AG will not start to enforce the CCPA until July 1, 2020.

Apart from the regulatory hurdles, the future of the CCPA, at least in its present form and impact, is already in question. Federal versions of the CCPA are wending their way through Congress. In late 2019, competing bills – one Republican (“United States Consumer Data Privacy Act of 2019”), and one Democrat (‘‘Consumer Online Privacy Rights Act’’) – were introduced in Congress to address data collection and consumer privacy.  Perhaps most importantly for business litigators, both bills will impact litigation. The Democratic bill includes a private right of action, the Republican bill does not. And, the Republican bill expressly preempts any state versions (except for provisions relating to notice of data breach), while the Democratic version does not.

To further complicate the CCPA’s timing, the growing coronavirus pandemic prompted thirty-three organizations representing thousands of businesses (employing millions of California residents) to send a March 17, 2020 letter to the California Attorney General, asking him to delay enforcement of the CCPA. The letter’s authors noted: “Many companies have instituted mandatory work-from home measures to limit community spread of the virus, meaning that the individuals who are responsible for creative processes to comply with CCPA are not present in the office to undertake such tasks.” Thus, the letter’s drafters are asking the AG to delay enforcement until January 2, 2021. As of this bulletin, the AG has not agreed to a delay.