The law grants Californians the right to sue companies for failing to take reasonable precautions to prevent data breaches. But apart from that, making sure companies comply with the CCPA is the sole province of the Attorney General’s office, which has indicated that it will only have the bandwidth to bring a handful of cases each year.
“The California Attorney General has said, ‘We only have resources to bring a few cases a year,’” said Justin Brookman, director of privacy and tech policy at Consumer Reports. “So maybe companies are saying, ‘The odds of getting sued are pretty slim.’”
Mactaggart, however, said he expects businesses to fall in line.
“I come from one of the most heavily regulated industries in the country: real estate development,” he said. “I’ve literally never even come close to sitting in any meeting where I’ve heard anyone say something like, “It’s the law, but we’re not going to get caught, so let’s just do it anyway.” He argued that even if cases are rare, the threat of crippling fines—$2,500 per user, per piece of data, which could easily scale to the tens of billions for a company that flouts the law—should be an effective deterrent.
Still, he granted that some violations of the law might be hard to detect in the first place, let alone police.
“It’s easy to see on the page if they’re tracking,” he said. “The harder part is, how do I know they deleted it or how do I know they didn’t sell it?”
What Comes Next?
In part to solve the potential enforcement problem, Mactaggart is working to get another initiative on the ballot this November that would beef up the existing law. “Right now, the regulation is in the hands of the Attorney General, who has stated, and I don’t blame him, ‘We’re cops, not regulators,’” he said. The initiative would create an independent agency focused just on the privacy law, with the power to audit companies for compliance. It would also restrict the legislature from watering the law down in the future—a serious concern given the amount of industry lobbying that has already taken place.
Meanwhile, the California law puts pressure on Congress to act at the national level, as the business community howls at the prospect of complying with a patchwork of state requirements. (States like Nevada and Vermont have their own privacy statutes; lawmakers in other states, like New York, have tried to introduce even more ambitious bills than California’s, although with less success so far.) The Senate is currently considering a number of bills, but so far Democrats and Republicans are far apart on two key issues: whether to grant ordinary Americans the right to sue for violations (Democrats generally think yes, Republicans no), and whether the federal law should preempt tougher state regulations (Democrats no, Republicans yes). The longer Congress waits to act, the more California—and any state that goes even further—will get to determine the facts on the ground.
“Really, you have to have a short- and long-term CCPA strategy,” said Jennifer Rathburn, a partner at the law firm Foley & Lardner, who advises corporate companies on compliance with the law. “The final regulations come out; you’re going to have ballot initiative 2.0 coming out; and then you’re going to have potentially other state laws. This isn’t a one and done. This is an evolving area that’s pretty new to the US.” She added, “In sum, privacy is here to stay.”
More Great WIRED Stories