California Privacy Act still not being enforced seven years after enactment

In 1972, California voters amended the California Constitution through an initiative measure to include the right of privacy as an inalienable right. Cal. Const., art. 1, § 1. Forty-six years later, in 2018, California voters pushed a ballot initiative measure to create a sweeping set of enforcement regulations for privacy rights. This March, enforcement finally begins.

The effort to enshrine privacy as an enforceable right in California has a distressingly long and complicated history. The California Legislature passed the California Consumer Privacy Act to head off the ballot initiative. CCC §1798.100 et seq. The Privacy Act took effect on Jan. 1, 2020,

The Privacy Act was further amended in 2020 to create a new watchdog agency, the California Privacy Protection Agency, to enforce the law and to implement regulations. Currently, the agency still hasn’t completed the full set of mandatory regulations. The glacial speed of the agency gave opponents an opening to stymie the Privacy Act, and they took it.

In March 2023, 12 out of 15 mandated regulation areas for the Privacy Act were approved. That same month, the California Chamber of Commerce filed a petition seeking a writ of mandate to stop enforcement of the partial set of regulations until the entire set was complete. While the Chamber’s legal strategy seemed more about slowing enforcement than demanding a robust set of regulations, it shed light on the disappointing performance of the CPPA, which has spent millions of taxpayer dollars with virtually nothing to show for it.

The Privacy Act was enacted in 2018 in response to the Cambridge Analytica scandal. Unbeknownst to consumers, Facebook released personally sensitive data of 87-million users to Cambridge Analytica, a political consulting firm linked to the Trump campaign. Cambridge Analytica reportedly used the data to create psychological profiles of voters to create digital ads that targeted certain voters based on their personality traits. The purpose was to influence the 2016 presidential election.

The faltering enforcement effort of the CPPA is all the more disappointing because the Privacy Act is a substantial tool statute with enormous promise to protect privacy. The Act takes square aim at the profiling Cambridge Analytica conducted by greatly expanding the types of personal information entitled to legal protection and gives consumers the right to follow the trail of how data is shared among companies.

The statute enacts a broad framework for personal information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCC §1798.140(o)(1). An interesting aspect of the Privacy Act is that it protects not only direct information collected from consumers, but creates a right to know about how a collecting corporation reached conclusions about individuals based on personal data. The CCP covers “[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” CCC §1798.140(o)(1)(K).

By July 1, 2022, the CPPA was supposed to have issued regulations in 15 mandatory areas (e.g., consumers’ right to request the correction of inaccurate personal information). CCC §§1798.185, subds. (a), (d), 1798.199.40, subd. (b).) The CPPA was authorized to begin enforcement of the regulations a year later on July 1, 2023. CCC §1798.185, subd. (d). Instead, on July 8, 2022, the CPPA issued regulations on 12 of the issues mandated in the Privacy Act but did not issue regulations for cybersecurity audits, risk assessments, and automated decision-making technology.

The Office of Administrative Law was required to approve the regulations, and it did so for the partial set of regulations on March 29, 2023. The initial set of regulations should have been enforceable on July 1, 2023, but the Chamber immediately filed its petition for writ of mandate asking a Sacramento superior court to stay enforcement of any regulations until the CPPA issued a complete set.

The Superior Court stayed enforcement of implementing regulations for a period of 12 months from the date of final approval rather than staying the entire set of regulations until the CPPA completes the entire set of regulations. California Chamber of Commerce v. California Privacy Protection Agency, Case No. 34-2023-80004106 (Superior Court of Sacramento County, July 20. 2023). Interestingly, the court declined to compel the agency to issue the outstanding regulations. The court’s order would have created an extremely complicated cascade of enforcement where the initial set of regulations could not be enforced until March 23, 2024, and enforcement of the outstanding regulations would take effect one year after final approval, whatever date that might be.

The CPPA sought a writ of mandamus for immediate relief from the court’s order and appealed the court’s order. The appeals court held that the superior court was wrong, finding that there was no express language inking enforcement with the date on which regulations were finally approved. California Privacy Protection Agency v. Superior Court, Case No. C099130, 2024 Cal. App. LEXIS 86 (Feb. 9. 2024). Rather, the court held it was unambiguous that the Privacy Act regulations were to become enforceable on July 1, 2023, not 12 months after final approval.

California residents have committed a substantial amount of effort to enact the privacy ballot initiative, and taxpayer dollars to fund the CPPA. The CPPA’s initial budget in 2020 was just over $10 million. Its projected budget for 2024 is $12.6 million. Hopefully, now that the CPPA won the legal challenge, it will put taxpayer dollars to work to enforce the existing regulations and issue the remainder in short order.