By Gerard M. Stegmaier, a Partner, and Mark D. Quist, an Associate, in the Washington, DC office of Reed Smith LLP.

Executive Summary

Click here for a printer-friendly version of this Executive Summary.

Material privacy and data security risks are set to rise again with the coming implementation of the California Consumer Privacy Act (CCPA) in January 2020. The law will affect virtually any business that collects personal information related to California residents and their households. Administrative penalties and strike suits filed as consumer class actions seem inevitable under the CCPA. The California Attorney General can levy per-violation civil penalties of up to $7,500. And alleged victims of data breaches can bring private lawsuits under the CCPA for statutory penalties of up to $750 on a “per consumer per incident.”

The attorney general has held an initial series of hearings on the law, and the state legislature continues to debate amendments, leaving affected entities in a state of anxious uncertainty. Interested businesses’ best opportunity to shape the CCPA’s future enforcement and set the groundwork for possible legal challenges lies in their participation in the state attorney general’s formal promulgation of rules, set to commence in the second half of 2019.

This paper, written by Reed Smith LLP attorneys Gerard M. Stegmaier and Mark D. Quist, examines key provisions of the CCPA and issues that will be addressed in the process; details the CCPA rulemaking timeline and its step-by-step process; and spotlights strategic considerations that can maximize interested parties’ participation in the process.

The California Administrative Procedure Act governs the notice-and-comment rulemaking process the attorney general will undertake for the CCPA. Publication of the proposed rules initiates a comment period of at least 45 days. The attorney general can also schedule optional public hearings at that time. After reviewing comments, the attorney general must issue a “Final Statement of Reasons” addressing the comments, which may be followed by another round of comments if the proposed rules undergo substantial revisions. The state Office of Administrative Law then has 30 days to review the rules before final publication.

Businesses whose data security and privacy practices will be scrutinized under the CCPA’s microscope should bear in mind a number of considerations when crafting comments, including:

  • The attorney general’s required economic impact assessment will provide helpful economic and business-related insights.
  • California courts generally do not defer to state agencies’ interpretation of enabling statutes such as the CCPA, so the attorney general must take care not to exceed his authority.
  • The attorney general must respond to relevant comments and justify the rules against alternatives.
  • Submitted comments must be “relevant” to the proposed rules, not the CCPA in general.

Click on the PDF button above to download the publication.