It is a hallmark of U.S. administrative law that policy decisions are made by the Legislature, with gaps filled in via regulation. See Med. Soc'y v. Serio, 100 N.Y.2d 854, 865 (2003). Administrative agencies are given wide discretion in this regard and courts show special deference in relation to matters within an agency's area of expertise. See Wembly Mgmt. Co. v. New York State Div. of Hous. & Cmty. Renewal, 205 A.D.2d 319, 319 (1st Dept. 1994). An administrative agency cannot, however, create policy on its own or otherwise promulgate rules not generally authorized by the Legislature.

California Consumer Privacy Act

In the arena of data protection, this separation of powers is being put to the test and, in certain cases, causing confusion for the millions of U.S. businesses seeking to comply with newly created data protection duties. Case in point, the California Consumer Privacy Act (CCPA), which famously came into effect on Jan. 1, 2020 with no regulations in place to fill in conspicuous gaps found in the law. CCPA itself was a reaction to a popular ballot initiative which, if passed, would have significantly tied the California Legislature's hands in relation to future amendments. See Cal. Const., art. II, §10 (70% legislative majority required to amend adopted ballot initiative). Instead of restricting its ability to change the initiative, the Legislature decided to swallow the bitter pill of CCPA, leaving much of the detail concerning CCPA compliance to the California attorney general, who is required to promulgate CCPA-related regulations no later than July 1, 2020. These regulations must include, inter alia, specific rules for the uniform "Do Not Sell My Personal Information" button required under the statute, verification of consumer data requests, and the very definition of "personal information" on which the whole of CCPA is based.

The California attorney general issued notice of such regulations on Oct. 11, 2019, which opened a comment period that closed on Dec. 6, 2019. In response to the comments received, the attorney general proposed revised regulations on Feb. 10, 2020, opening a truncated 15-day comment period that ended on Feb. 25, 2020. The attorney general then proposed a second set of revisions on March 11, 2020, opening another 15-day comment period that ended on March 27, 2020. It is unclear whether the attorney general will further revise the proposed regulations, which would in turn open yet another 15-day comment period, or whether the attorney general will adopt this regulatory "version 3.0" as currently proposed.

The problem with this process is that without any statutorily created ramp-up period, organizations subject to data protection laws such as CCPA must develop extensive compliance programs before any regulatory guidance is in place. By way of contrast, the European Union's General Data Protection Regulation became effective as of April 14, 2016 but gave organizations until May 25, 2018 to comply. The lack of such a ramp-up period leads to the often expensive and inefficient circumstance of an organization guessing where proposed or anticipated regulations may end up once adopted, but ultimately guessing wrong.

Selling Personal Information

Case in point, the CCPA requirement that organizations that sell personal information obtained from third parties provide notice to the consumers whose information they are selling of the details of such sale. In the originally proposed regulations, the California attorney general offered a creative solution, not present anywhere in the statutory language of CCPA. Specifically, before a business subject to CCPA could sell personal information obtained from a third party, the business would either have to provide notice of the sale directly to the consumers at issue or obtain an attestation from the original seller of the information, stating that that seller had already provided appropriate notice at or before the point of data collection. See Cal. Code Regs. tit. 11, §999.305(d) (as proposed, Oct. 11, 2019).

This attestation option was both efficient and welcomed among businesses that sold personal information obtained from others. Accordingly, certain organizations began the process of obtaining such attestations, predicting that this aspect of the proposed regulations would not change in any material respect.

Both the first and second set of revised regulations, however, jettisoned the attestation option and replaced it with a safe harbor for businesses selling personal information obtained from others if: (1) the business registers with the attorney general as a data broker, pursuant to Cal. Civ. Code §1798.99.80, and (2) "includes in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out." See Cal. Code Regs. tit. 11, §999.305(e) (as modified, March 11, 2020).

This change, although perhaps even easier to comply with than the attestation option, creates three sets of related problems. First, for businesses that have already obtained attestations from their sources of personal information, those attestations are now moot, although they may have involved detailed negotiations, contract amendments, and attorney time. Second, a business that has not yet registered as a data broker in California must now do so to obtain the benefit of this caveat. This brings with it risk, however, because the deadline to register as a data broker in California ran on Jan. 31, 2020, and failure to register can lead to fines and enforcement. See Cal. Civ. Code §1798.99.82(c) ($100.00 per day potential fine for failure to register). Indeed, as the attorney general makes clear on the data broker registration website, "[a] data broker that has not registered by the January 31 statutory deadline should register as soon as possible and may be liable for civil penalties for each day the data broker fails to register." The definition of "data broker" under §1798.99.80 is not coterminous with the definition of "business" under CCPA, however.

Hence, many CCPA businesses that sell personal information obtained from third parties may have determined that they were not "data brokers" under §1798.99.80, therefore deciding not to register before the deadline. If any such business now decides to register to take advantage of the caveat in the modified version of §999.305(e), it faces the unenviable risk of having to explain to the California attorney general that it is actually not a data broker, if the attorney general ultimately seeks to impose a penalty for late registration. And this risk increases if the business decides to wait and see whether the modified version of §999.305(e) is ultimately adopted.

Another significant issue subject to potential change in the CCPA regulations is the "Do Not Sell My Personal Information" button. In the first set of revised regulations, the attorney general required a red slider, which was to be "approximately the same size as other buttons on the business's web page." See Cal. Code Regs. tit. 11, §999.306(f)(1)-(2) (as proposed, Feb. 10, 2020). In the second set of revised regulations, however, the attorney general removed this red slider completely. And importantly, the attorney general omitted any guidance on the button or slider in the originally proposed regulations, thereby shortening the time for potential comment from 45 days under the originally proposed regulations to 15 days under the revised regulations. An opt-out button or slider appearing on a business's home page is no small matter, however, and often cannot be implemented without significant effort.

For large entities with many websites, they must determine where to place the button, how to size it in relation to other buttons, how to match the button with the specific color ultimately chosen by the Attorney General, as well as implement a change management procedure to accomplish all this. For smaller entities without in-house web development teams, they must find a vendor with capacity to implement these changes. But web development vendor capacity may be scarce in this era of COVID-19-related virtualization and the rush to implement these and other changes required under CCPA. And the seesaw effect felt under the shifting regulations only increases this tension, with potential risk to organizations that may get their information concerning CCPA compliance from second-hand, outdated sources.

Other Regulatory Regimes

This regulatory confusion and potential for change does not end with or CCPA. Maryland's Online Consumer Protection Act, for example, which is currently before the Maryland General Assembly, calls for administrative rules creating exemptions under the Act as well as revisions to crucial Act definitions as may be required from time to time. Other regulatory regimes, such as 23 N.Y.C.R.R. Part 500, which creates sweeping cybersecurity requirements for organizations around the globe regulated by the New York State Department of Financial Services, have seen similar rounds of regulatory revision, and may undergo further change in the future. The one constant in this arena will be fluidity and potential disruption, as legislatures rush to pass data protection laws without including ramp-up periods, with implementing regulations lagging significantly behind, or even changing midstream as organizations try to anticipate the ultimate form such regulations may take.

F. Paul Greene is a partner and chair of the Privacy and Data Security practice group at Harter Secrest & Emery, a full-service business law firm with offices throughout New York. He can be reached at [email protected].