Privacy Sequel Coming, Some Might Wait to Sue California
Businesses dissatisfied by final California privacy rules might sue the state, but an expected November ballot vote on another privacy proposal and other factors could discourage them, business privacy attorneys said this week. The Software & Information Industry Association raised constitutional concerns with the California Consumer Privacy Act and regulations released Tuesday. SIIA General Counsel Chris Mohr told us Thursday it’s “not in a litigation posture at this time.” Rumored suits probably would be a long, uphill fight, said Perkins Coie’s Dominique Shelton Leipzig on an Information Systems Security Association (ISSA) webinar Wednesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
California Attorney General Xavier Becerra (D) plans to enforce the privacy law July 1, after barely making Monday’s deadline to submit final CCPA rules to the Office of Administrative Law (see 2006020062). The state DOJ made no substantial changes to rules from a March draft, rejecting many suggestions. Californians probably will vote in November on the California Privacy Rights Act. CPRA could again revise state privacy laws (see 2005080037).
SIIA President Jeff Joseph called the state regulations “capricious” and raised First Amendment concerns, in a Wednesday statement (see 2006030050). Mohr said the association supports robust privacy rights, but they must be balanced against other values like freedom of speech, and the group has concerns that CCPA inappropriately covers information in the public domain that's widely available. SIIA asked the legislature and attorney general to address the issue, but neither did, he said.
November’s ballot initiative includes “language on publicly available information that ameliorates a lot of the concerns" about the First Amendment, said Mohr. SIIA worked with the California Chamber of Commerce (CalChamber) to negotiate that language in the proposed CPRA, he said. SIIA hasn't endorsed the policy, which has other problems including limitations on the legislature to amend the law, said Sara DePaul, SIIA senior director-technology policy.
Companies could argue the law and AG rules violate the Constitution or Dormant Commerce Clause, Shelton Leipzig said. The case will be “tough” to win because CCPA is so grounded in California’s constitutional privacy protections, she said. The case would likely take courts years to resolve, especially given the backlog of cases caused by the pandemic, she added. “I don’t see this as being an expedited way to address the law.” The attorney noted she helped CalChamber add a few business-friendly provisions to CPRA during discussions, including a two-year extension to employee and business-to-business data exemptions set to expire at year-end. CalChamber didn’t comment.
Winning a challenge against CCPA “will have less value if the entire framework may effectively be replaced by the ballot initiative that may be on the November ballot,” emailed Covington attorney Libbie Canter. Potential suits could focus on substance or process, but “it’s not clear how motivated any company or trade group would be to bring such a challenge,” including due to reputational risks that come with challenging a privacy law, she said.
One element likely to be challenged is a do-not-track rule added by the attorney general, privacy attorney Susan Hintze emailed. “Many feel that the CCPA did not provide basis for requiring companies to respond to Do Not Track signals and that those signals do not reflect a [do-not-sell] request by consumers or any other rights given consumers under CCPA.” Consumer privacy advocates separately raised concerns that the do-not-track requirement isn’t clear.
“There’s not much downside for companies to challenge the law,” said Cowen analyst Paul Gallant. “Most companies don't like it. It will cost them money one way or another.” Possibly unfavorable optics of challenging a consumer privacy law might discourage the biggest internet companies from putting their name on the suit, but “much of corporate America doesn’t like this law, so I don’t think it will be hard to have a small number of umbrella groups challenge the law.”
Becerra’s office didn’t comment on possible litigation. Consumer privacy groups including the Center for Democracy and Technology and Electronic Frontier Foundation didn’t comment.
“Is it really fair to ask companies to make anticipatory investments in implementing rules before the rules are completely final and have gone through all relevant administrative hoops?” asked Canter. Several areas of the law remain ambiguous and the AG seeking expedited OLA review makes things tougher for businesses, she said. Some companies didn’t want to sink money into compliance until rules were final, said Shelton Leipzig. They will likely have to amend privacy programs again if CPRA passes, Jackson Lewis lawyer Rachel Ehlers blogged Wednesday. “Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.”
Texas, New York, New Jersey and Washington are among states that could act on privacy bills soon, IntraEdge President Dan Clarke said on the ISSA webinar. He sees no hope for federal privacy action soon. SIIA is "cautiously optimistic" about national privacy legislation, though it probably won’t happen this year, said DePaul: COVID-19 brought more attention to privacy issues in Congress, and the group sees growing legislative consensus that addressing privacy is necessary.