February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

CCPA Enforcement Begins Amid Pandemic And Regulatory Uncertainty

On July 1, 2020, the office of the California Attorney General (AG) began enforcement of the California Consumer Privacy Act (CCPA).

The CCPA—generally viewed as the broadest digital privacy law in the U.S. which poses significant concerns for practically any business with a website accessible to California consumers—became effective on Jan. 1, 2020. However, after its effective date, CCPA was subject to a six-month ramp-up period, such that enforcement was not to begin until July 1, 2020.

Considering several developments, there were questions as to whether enforcement would begin on July 1, 2020. During the ramp-up period, the California AG issued regulations governing the implementation of the CCPA. Confusingly, those regulations were modified several times. It was not until June 1, 2020, that the California AG finalized the regulations.

The regulations must now undergo a 90-day review by the California Office of Administrative Law, after which their final text will be filed with the California Secretary of State. Only then—around the end of August—will the regulations become enforceable. Thus, while CCPA is itself in effect, the status of its regulation has been a matter of significant procedural uncertainty. In addition to that procedural uncertainty, businesses across the world are also dealing with the 2019 novel coronavirus (COVID-19) pandemic. Understandably, many industry leaders called on the California AG to delay its CCPA enforcement efforts.

We now know that the California AG has rejected those requests and despite the current environment—the pandemic still raging and regulations that are not yet technically effective—began moving ahead with enforcement on July 1, 2020. In an interview with The Washington Post, the California AG confirmed: “For sure we will start enforcing on July 1.” Now, we are seeing reports that enforcement in fact began as promised, with companies receiving compliance notices before the July 4 holiday weekend.

There is only one way to interpret this move by the California AG: businesses cannot wait to ensure compliance with CCPA’s provisions.

What you can do now:

  • Read the law and the still-pending implementing regulations

  • If you haven’t yet, contact an attorney to ensure you’ve taken all possible steps to comply with the CCPA

  • If you receive a compliance notice from the California AG, ensure that you comply with all deadlines and next-step requirements, preferably with the advice of an attorney

Copyright © 2023 Godfrey & Kahn S.C.National Law Review, Volume X, Number 189

About this Author

Zachary R. Willenbrink Litigation Attorney Godfrey & Kahn Milwaukee, WI

Zach Willenbrink is a member of Godfrey & Kahn’s Litigation Practice Group in the firm’s Milwaukee office.

Zach represents clients in many types of litigation, primarily those involving complex commercial, intellectual property, insurance trade practices, international law, and media and entertainment issues, as well as in appeals. He enjoys untangling complex legal and factual issues, in order to understand what is truly in dispute and working toward the best resolution possible. A former member and songwriter in several touring bands, Zach tries to approach disputes creatively...

Andy Schlidt Shareholder Milwaukee Technology & Digital Business, the Data Privacy & Cybersecurity

Andy Schlidt is a shareholder in the Technology & Digital Business, the Data Privacy & Cybersecurity and the Corporate legal practice groups.  He advises clients in commercial transactions and compliance matters, drawing on his prior consulting work at Accenture and his Masters in Technology from Purdue University.

As Chair of the Technology & Digital Business practice, Andy negotiates a wide variety of commercial transactions.  Recent engagements include domestic and offshore outsourcing deals (ITO/BPO), XaaS and cloud subscriptions, IT licensing, software development,...

Justin Special counsel  co-chair Data Privacy & Cybersecurity Practice Group
Special Counsel

Justin serves as special counsel and is co-chair of the firm’s Data Privacy & Cybersecurity Practice Group. He is also a member of the firm’s Technology & Digital Business Practice Group. Justin holds the Certified Information Privacy Professional/US (CIPP/US) certification from the International Association of Privacy Professionals.

Justin’s practice focuses on helping clients with the legal issues that arise from technology and data in an increasingly digital world, with a specific focus on cybersecurity and data privacy matters. His work includes:

  • Compliance...
Sarah A. Sargent Associate Milwaukee Cybersecurity Practice Group, Technology & Digital Business Practice Group

Sarah Sargent is a member of the Data Privacy & Cybersecurity Practice Group and Technology & Digital Business Practice Group. She holds the CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, allowing her to draw from both domestic and international best practices when it comes to questions of data privacy.

Sarah’s practice focuses on assisting clients in implementing innovative technology and finding practical business solutions for privacy compliance. She counsels clients on privacy compliance with a variety of state, federal,...