The office of Attorney General Xavier Becerra won’t begin to enforce the law until July 1, 2020, but he said he considers the law in effect as of Jan. 1, “right after that first kiss and the hugs and the champagne.”
But his budget is limited. He said his office is likely to conduct only three enforcement actions a year, though he won’t say against what companies.
“The bigger the company, the bigger the problem,” Becerra said. “The bigger the universe that has data that is used in certain ways, that could lead to that violation, the bigger the case will be.”
When asked about a particularly sensitive kind of information his office is keen to prioritize protection of, Becerra said: “I think my health information is sensitive. I think my Social Security number is sensitive. I think my dating patterns, especially since I’m married, would be sensitive,” Becerra said, jokingly.
More seriously, he added that “aggressive, early, decisive enforcement” is likely to focus on the sale of data involving children. “The last thing you want is for any company to think that we’re going to be soft on letting you misuse kids’ personal information.”
How Tech Giants and Data Brokers are Reacting
Industry groups spent the last year trying to rewrite and soften the law. It’s expected they’ll sue to stop the CCPA’s rollout, even as most have taken some steps to comply with it. Many businesses complain there’s a lack of clarity on the regulations that Becerra’s staff is still crafting.
For businesses, the attorney general’s office has released a Standardized Regulatory Impact Assessment outlining the potential scope of the new law, but businesses want the office to produce sample forms and notices as well.
In the meantime, some companies like Microsoft are adopting the new rules across the nation immediately.
Other companies are taking a different view. While Facebook has made it easy to download your data — as has Twitter and Google — the Menlo Park-based social media giant argues it sells advertisers access to you, so it’s up to the advertisers to let you opt out or not.
“We’re committed to clearly explaining how our products work, including the fact that we do not sell people’s data,” the company posted online.
That doesn’t pass the smell test for a number of industry watchers, including Chris Hoofnagle, who teaches tech regulation at UC Berkeley.
“Facebook, in particular, appears to be interpreting the law in a very opportunistic way. So that they don’t actually need to do anything to comply with it,” he said.
Hoofnagle thinks the biggest tech companies in Silicon Valley are in a financial position to bet it will be awhile before the attorney general’s office comes for them.