California’s new data privacy law went into effect Jan. 1, 2020, but the date is largely symbolic. Companies should already have a data management plan in place by now, as certain provisions within the new law call for companies to be able to provide data going back 12 months, and California’s attorney general has stated that full enforcement will not be likely until after July 2020.
Since the California Consumer Privacy Act of 2018 (AB 375) was passed in the summer of 2018, companies, interest groups, consumers and government actors have been discussing what the law actually does and how it will be enforced. Several amendments were passed in September 2019, putting to rest a host of questions, but despite this and several public discussion forums, companies’ interpretations of the law and how to comply with it widely differ.
The problem with nonstandard application of the law rests on both sides. The law itself grants the courts and the attorney general broad freedoms to enforce it as they see fit, and several provisions within the law will be clarified through enforcement actions. The law grants consumers the right to request their personal data be deleted, for example, but also grants companies several exemptions to this clause, including a variety of business purposes that provide ample wiggle room.