COVID-19 Will Apparently Not Delay CCPA Enforcement
While many companies around the world are coping with a global pandemic, some are facing additional challenges in light of a looming deadline triggered by the California Consumer Privacy Act (“CCPA”). Citing #covid19 concerns, a coalition of more than 60 such companies made a plea this week to California’s Attorney General Xavier Becerra (“AG”) to delay the AG’s enforcement of the CCPA. The CCPA went into effect on January 1, 2020, and its enforcement is currently set to begin in July. In a joint letter, these businesses asked the AG to postpone the enforcement of the CCPA for 6 months for two reasons—to help alleviate the challenges recently presented by forced telecommuting and to account for the lack of final CCPA-related regulations. The AG’s office responded that it has no current plans to delay enforcement, as discussed below.
We have written about the CCPA at length. This law gives California consumers certain rights, including the right to know what personal information the business has about them, the right to request the business to delete that information, and the right to opt out of the sale of their personal information. It regulates how organizations can collect data of California residents and how that personal information can then be used or shared.
The CCPA enforcement deadline is now rapidly approaching. Currently, July 1, 2020 marks the anticipated date by which the AG will begin its enforcement of the CCPA, but is important to remember that the AG will retroactively look to the business’s compliance as of January 1, 2020—the date on which the CCPA actually went into effect. In theory, all businesses subject to the CCPA should already be in full compliance with the law as of January 1, 2020 (or even earlier, considering the law’s “look-back” provisions with respect to access to personal data). In practice, however, many businesses have struggled to adapt to the rapidly changing regulations, and not all businesses are yet in full compliance.
What complicates matters further is that the CCPA-related regulations are not yet final. The AG’s regulations—which aim to interpret and implement the CCPA—have already undergone multiple and extensive revisions and still have not been finalized, as of today. The third draft of the regulations is currently open for comments until March 27. It seeks to clarify how businesses should respond to consumers’ data requests and what to disclose to consumers. Because the compliance parameters are still evolving, organizations doing business in California have struggled to meet their CCPA obligations, even before the spread of COVID-19. The added concern—cited by some businesses this week—is that the AG’s regulations remain confusing, while the clock is still running out on their ability to interpret the regulations, to ascertain if they are subject to the CCPA, and to quickly adopt what is necessary in terms of compliance.
As a result, a letter from the coalition of businesses asked the AG to delay the enforcement of the CCPA. The coalition of the 60+ organizations that decided to send this letter to the AG includes a wide range of industries such as telecom, entertainment, retail, advertising, insurance, real estate, and transportation. These businesses urged the AG to temporarily delay the enforcement of the CCPA until 2021 in order to give them more time to assess and understand the regulations (once they actually become final), to address the current pandemic, and to alleviate the stress on the industry as a whole. One of the biggest cited challenges is that the newly implemented telecommuting requirements as a result of the COVID-19 outbreak and “stay-at-home” orders made it difficult for the key personnel to continue focusing on building or testing CCPA-compliant platforms. The companies explain that many of these tasks must be performed on-site, which is currently impossible. Additionally, businesses report that they need more time to understand and implement the AG’s guidelines after they become final.
Not everyone agreed with this request, however. In response to this plea from the industry, the non-profit organization Consumer Reports vehemently opposed the extension, calling it a “a cynical attempt by industry to avoid honoring California consumers’ constitutional right to privacy” and an effort to “exploit the health crisis to ignore consumer requests to companies to stop selling their data.” Consumer Reports also cited COVID-19 as the very reason why prompt enforcement is actually necessary—to protect the privacy rights of consumers who increasingly work from home and rely on online communications for a wider range of activities, such as work, healthcare, and essential purchases.
The Attorney General’s office acknowledged the expressed concerns and declined to delay enforcement at this time. Specifically, an advisor to the California’s Attorney General reportedly stated the following: “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first . . . . We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” Notably, the AG’s office did not affirmatively say that companies will not be able to use COVID-19 as an excuse for non-compliance, but such requests—even if considered—will likely be addressed on a case-by-case basis and will need to be well-documented.
In short, CCPA compliance remains imperative. As a reminder, the CCPA has already been in effect since January, and the companies’ compliance obligations began at that time (or earlier). As we previously reported, AG Becerra stated that his office would “look back” to January 1, 2020 as the date on which businesses must have begun compliance with the CCPA. Unless California’s AG unexpectedly changes his latest position and both adopts an enforcement delay and makes AG’s enforcement effective as of the delay date, companies must continue to keep CCPA compliance in mind going forward. As previously discussed here and here, organizations are also more vulnerable to attacks during the current pandemic. Businesses should, therefore, (1) continue to comply with the CCPA, (2) continue to respond to consumers’ requests, and (3) remain vigilant about anticipating and avoiding any breach-related exposure.