As we creep closer to January 1, 2020, one of the major plotlines in the Legislature’s fine-tuning of the California Consumer Privacy Act is to see how exactly the law will be enforced when all is said and done. As it stands, it looks as though Californians are going to need to rely on the Attorney General and local governments to do most of the actual legwork to make sure companies abide by the new law. Whether that reliance is justified remains to be seen.
As we have discussed, SB 561, which would have granted a private right of action to allow individuals to sue for any violation of the CCPA, was summarily defeated. Similarly, early attempts to make improper use of facial recognition software a violation of unfair competition laws (and therefore privately enforceable) died an early death in committee. As it stands, the only private right of action remaining is for data breaches.
What this means for Californians is that, short of an actual data breach, enforcement of the CCPA is almost exclusively going to fall to the Attorney General’s office. However, whether the Attorney General’s office is actually going to have the manpower and budget to rise to the challenge is starting to come into question.
According to Yuri Nagano in the San Francisco Public Press, Stacey Schesser, Supervising Deputy Attorney General, testified before the Senate that despite planning to expand the AG’s privacy team to 23 people with a $4.7 million annual budget, the state might only be able to prosecute three cases per year. She wrote:
That calculation came from reviewing the number of hours spent in the past on similar types of cases. The new staff will have a “multitude of responsibilities” — handling investigations, litigating violations and proposing adjustments to the regulations themselves. Enforcement of the new privacy law can stay effective only if it responds as technology evolves.
In comparison, Schesser testified, Ireland’s data privacy unit has 140 officers to enforce the GDPR. In Schesser’s own words, the California AG’s office is “way understaffed” to enforce the CCPA.
It should be noted that the CCPA also provides for a “Consumer Privacy Fund,” which will receive 20% of all penalties or settlements that the Attorney General’s office earns through CCPA enforcement actions. This fund will be used to support and fund enforcement by the AG’s office, and may not be raided by the state unless the funds “are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this title.”
Where the CCPA goes from here isn’t clear. Maybe the Consumer Privacy Fund will be a big enough war chest to bankroll the AG’s privacy team. But if Schesser is correct and the AG’s office is not going to be in a position to enforce the CCPA, then the law is hardly worth the paper it’s printed on.
Then again, maybe there is a silver lining for privacy advocates; if the AG’s office really will not be able to assume its role as protector, there might finally be some traction on a private right of action, expanded enforcement options, or maybe even a bigger budget. Stay tuned.
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all) Like this:
Like Loading...