California’s privacy agency must change course on new rules
OPINION – This year, the California business community has found itself in an untenable—and frankly, bizarre—position of being out of compliance with regulations that do not yet exist. How did we get here?
California’s plan for new consumer privacy protections was expected to serve as another example of the state’s leadership in creating enlightened public policy and a model for the nation. Instead, the plan has been mired in confusion, missed deadlines, and a failure to agree on the actual rules businesses must follow under the new law that went into effect January 1.
Let’s take a step back. When California voters passed Proposition 24 in 2020, they called for new regulations to better protect consumer data online. That makes sense. And at the time, businesses of all sizes—from large companies to small family operations—were not an afterthought: the California Privacy Rights Act (CPRA) clearly stated that the law must give “attention to the impact on business and innovation.”
This is because businesses have a major stake. The state’s retail sector alone, which includes members of my organization, employs over three million people, not just at major brands but at thousands of small, minority and family-owned businesses. They are highly competitive businesses that have increasingly relied on e-commerce to build strong customer relationships, as well as contribute to economic growth and in some cases keep their businesses afloat. The pandemic accelerated this trend as consumers turned away from brick-and-mortar businesses in favor of online shopping.
California’s plan for new consumer privacy protections was expected to serve as another example of the state’s leadership in creating enlightened public policy and a model for the nation.
Unfortunately, the California’s Privacy Protection Agency (CPPA), created under the new law, has done just the opposite of the stated mandate, largely ignoring business input throughout the rule-making process. In fact, the only constant in this tortured process has been CPPA’s refusal to adequately consider the impact of new privacy rules on business. At meetings, business feedback has been given short shrift. Actions have been taken behind closed doors. Agency members have failed to participate in key public sessions.
During this time, the agency has repeatedly failed to meet its required timeline. First, it missed last July’s deadline to complete the rulemaking. Then, it allowed compliance to take effect on January 1 without identifying the regulations that businesses must comply with. Now, the CPPA says it plans to issue final rules nine months behind schedule in April, and enforcement will begin shortly after on July 1, fining businesses for non-compliance. But how do they expect retailers to adjust their operations before enforcement begins?
California retailers value their relationship with their customers. We are not data brokers. We are part of a highly competitive industry that depends on strong relationships—often spanning generations—with the people who shop with us. For the rules to be effective, the privacy agency must understand our business and that means meaningful engagement with all stakeholders, including businesses.
Protecting privacy is critical, but so is the ability of businesses to innovate and compete in a large and diverse state like California.
The 11th hour has arrived, the privacy agency must make a course correction immediately. It must engage collaboratively with businesses in resolving key requirements of Proposition 24 that have yet to be addressed. It must extend the enforcement deadline for the not-yet-existent regulations, so businesses have time to accommodate. If the privacy agency is not held accountable for its shortcomings, how can voters have confidence their mandate is being carried out?
Protecting privacy is critical, but so is the ability of businesses to innovate and compete in a large and diverse state like California. Properly implemented, the CPRA regulations can benefit businesses and their customers alike. But ignoring business stakeholders while adopting new rules and not allowing enough time for compliance is a recipe for failure with unintended consequences that could have been avoided if we were committed to a robust, transparent process.
Rachel Michelin is president of the California Retailers Association.
Want to see more stories like this? Sign up for The Roundup, the free daily newsletter about California politics from the editors of Capitol Weekly. Stay up to date on the news you need to know.
Sign up below, then look for a confirmation email in your inbox.