Despite confusion, AG begins privacy act enforcement

State Attorney General Xavier Becerra begins enforcing the California Consumer Privacy Act today as attorneys continue working to help clients try to comply with the new law.

The statute went into effect Jan. 1, but enforcement was delayed six months. Proposed regulations to implement the statute had not been approved by the Office of Administrative Law as of Tuesday, but the attorney general is not delaying enforcement despite postponement requests by business groups.

"Enforcement under the law can begin before regulations go into effect," Becerra's office said in a statement Tuesday.

Kyla Christoffersen Powell, president and chief executive officer of the Civil Justice Association of California, an organization that represents corporations, asked for enforcement to be delayed another six months, especially because of compliance complications due to the COVID-19 virus. Becerra rejected that idea.

Aside from uncertainty, Powell said companies are most concerned about the ability of consumers to pursue private lawsuits when their personal information is subject to "unauthorized access ..., theft, or disclosure."

The proposed regulations have not clarified questions many companies have about liability under the landmark privacy law, which was signed by Gov. Jerry Brown in 2018, including the definition of a reasonable security measure and a provision in the law that gives defendants a chance to "cure" the effects of a breach before an affected consumer files a complaint, she said.

"What is a cure?" Powell asked. "A lot of businesses are trying to make heads or tails of the language."

Scott T. Lashway, a partner with Manatt, Phelps & Phillips LLP, said he wasn't expecting the attorney general to file complaints this week but was expecting the office to pursue "black and white" violations of the law.

"I don't see why the attorney general would hesitate to pursue those actions," he said.

W. Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP who co-heads the firm's privacy and cybersecurity practice and advises clients on a wide range of U.S. privacy issues, said the pandemic -- aside from complicating business efforts to comply with the law -- is also creating new complications because so many employees are working from home.

"There are more privacy risks," he said.

The priority for businesses is to establish they are being responsive to the law by posting privacy policies on their websites and establishing policies so consumers and workers know what information companies have about them, Hirsch said, as well as the ability to request its deletion.

"There's no doubt the CCPA changes the privacy regulatory landscape," he said.

One major concern for companies, attorneys said, are security breaches that expose consumer data. Plaintiffs' attorneys can be expected to private lawsuits that echo allegations made by the attorney general's office for violations of the law.

"I think the civil actions related to security incidents will skyrocket because of the tools provided by the CCPA," Lashway said. "Clients are viewing privacy and security more frequently as a litigation risk" because of the law.