August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

CCPA Enforcement Begins Amid Pandemic And Regulatory Uncertainty

On July 1, 2020, the office of the California Attorney General (AG) began enforcement of the California Consumer Privacy Act (CCPA).

The CCPA—generally viewed as the broadest digital privacy law in the U.S. which poses significant concerns for practically any business with a website accessible to California consumers—became effective on Jan. 1, 2020. However, after its effective date, CCPA was subject to a six-month ramp-up period, such that enforcement was not to begin until July 1, 2020.

Considering several developments, there were questions as to whether enforcement would begin on July 1, 2020. During the ramp-up period, the California AG issued regulations governing the implementation of the CCPA. Confusingly, those regulations were modified several times. It was not until June 1, 2020, that the California AG finalized the regulations.

The regulations must now undergo a 90-day review by the California Office of Administrative Law, after which their final text will be filed with the California Secretary of State. Only then—around the end of August—will the regulations become enforceable. Thus, while CCPA is itself in effect, the status of its regulation has been a matter of significant procedural uncertainty. In addition to that procedural uncertainty, businesses across the world are also dealing with the 2019 novel coronavirus (COVID-19) pandemic. Understandably, many industry leaders called on the California AG to delay its CCPA enforcement efforts.

We now know that the California AG has rejected those requests and despite the current environment—the pandemic still raging and regulations that are not yet technically effective—began moving ahead with enforcement on July 1, 2020. In an interview with The Washington Post, the California AG confirmed: “For sure we will start enforcing on July 1.” Now, we are seeing reports that enforcement in fact began as promised, with companies receiving compliance notices before the July 4 holiday weekend.

There is only one way to interpret this move by the California AG: businesses cannot wait to ensure compliance with CCPA’s provisions.

What you can do now:

  • Read the law and the still-pending implementing regulations

  • If you haven’t yet, contact an attorney to ensure you’ve taken all possible steps to comply with the CCPA

  • If you receive a compliance notice from the California AG, ensure that you comply with all deadlines and next-step requirements, preferably with the advice of an attorney

Copyright © 2020 Godfrey & Kahn S.C.National Law Review, Volume X, Number 189

TRENDING LEGAL ANALYSIS


About this Author

Zachary R. Willenbrink Litigation Attorney Godfrey & Kahn Milwaukee, WI
Associate

Zach Willenbrink is a member of Godfrey & Kahn’s Litigation Practice Group in the firm’s Milwaukee office.

Zach represents clients in many types of litigation, primarily those involving complex commercial, intellectual property, insurance trade practices, international law, and media and entertainment issues, as well as in appeals. He enjoys untangling complex legal and factual issues, in order to understand what is truly in dispute and working toward the best resolution possible. A former member and songwriter in several touring bands, Zach tries to approach disputes creatively...

414.287.9463
Andy Schlidt Shareholder Milwaukee Technology & Digital Business, the Data Privacy & Cybersecurity
Shareholder

Andy Schlidt is a shareholder in the Technology & Digital Business, the Data Privacy & Cybersecurity and the Corporate legal practice groups.  He advises clients in commercial transactions and compliance matters, drawing on his prior consulting work at Accenture and his Masters in Technology from Purdue University.

As Chair of the Technology & Digital Business practice, Andy negotiates a wide variety of commercial transactions.  Recent engagements include domestic and offshore outsourcing deals (ITO/BPO), XaaS and cloud subscriptions, IT licensing, software development, hardware acquisition, IT joint developments, and strategic alliances.  He also counsels clients on telecommunications matters including wireless, wireline, fiber optic, small cell, DAS, broadband, and telecom infrastructure deployment.  

As Co-chair of the firm’s Data Privacy & Cybersecurity practice, Andy helps  demystify IT compliance for clients with a focus on data breach response, privacy and cybersecurity programs, vendor management, cyber insurance, and IT dispute resolution.  Emerging areas of interest include the IoT, IIoT, AI, Blockchain, smart contracts, smart cities, and connected environments.  He supports the firm’s internal compliance initiatives as the firm’s Chief Privacy Officer.

While at Purdue, Andy wrote his thesis on the technology risk management practices of Fortune 200 companies.  He is a member of ITechLaw (a worldwide technology law community), the International Association of Outsourcing Professionals (IAOP), the International Association of Privacy Professionals (IAPP) and the Federal Communications Bar Association.  He has served on the Advisory Board of the University of Wisconsin E-Business Consortium, and as a member of the Telecommunications Committee of the Wisconsin Public Utilities Institute.

414-287-9624
Justin Special counsel  co-chair Data Privacy & Cybersecurity Practice Group
Special Counsel

Justin serves as special counsel and is co-chair of the firm’s Data Privacy & Cybersecurity Practice Group. He is also a member of the firm’s Technology & Digital Business Practice Group. Justin holds the Certified Information Privacy Professional/US (CIPP/US) certification from the International Association of Privacy Professionals.

Justin’s practice focuses on helping clients with the legal issues that arise from technology and data in an increasingly digital world, with a specific focus on cybersecurity and data privacy matters. His work includes:

  • Compliance...
414-287-9527
Sarah A. Sargent Associate Milwaukee Cybersecurity Practice Group, Technology & Digital Business Practice Group
Associate

Sarah Sargent is a member of the Data Privacy & Cybersecurity Practice Group and Technology & Digital Business Practice Group. She holds the CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, allowing her to draw from both domestic and international best practices when it comes to questions of data privacy.

Sarah’s practice focuses on assisting clients in implementing innovative technology and finding practical business solutions for privacy compliance. She counsels clients on privacy compliance with a variety of state, federal,...

414-28-9450