Key Issues We’re Tracking as CCPA Enforcement Nears
Although 2020 has already provided more than its share of surprises for businesses, one thing appears to remain unchanged: the California attorney general’s commitment to enforcing the California Consumer Privacy Act beginning July 1, 2020. As companies work to ensure compliance with this legislation, we explore several key issues.
No one will disagree that a lot has happened since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite the Coronavirus (COVID-19) pandemic, the invasion of murder hornets and a number of other not-entirely pleasant surprises that 2020 has brought us thus far, it appears that the California attorney general is still committed to enforcing the CCPA starting on July 1, 2020. As your business prepares for CCPA enforcement, there are a number of issues to keep in mind:
1. The CCPA regulations still have not been finalized and are unlikely to take effect until October 2020.
The attorney general’s regulations, which aim to interpret and implement the important provisions of the CCPA, still have not been finalized. March 27, 2020, marked the end of the comment period for the current draft regulations (which was the second set of modifications released by the attorney general). We are now waiting to see whether the attorney general will issue yet another set of proposed modifications, or submit the current version to the California Office of Administrative Law (OAL) for approval. For the regulations to take effect July 1, the OAL would need to receive and approve the final regulations by May 31, which appears to be an unlikely scenario. Accordingly, the regulations likely will not take effect until October 1, and could potentially be delayed until 2021. As a result, companies should be prepared for CCPA enforcement to begin before the regulations take effect.
2. We’ve started to see the effects of the private right of action.
California consumers have begun to file lawsuits seeking to enforce their (purported) rights under the CCPA. The cases present a first opportunity for courts to examine the private right of action created by the law. One case, in particular, presents a potentially unanticipated theory of harm, and could prove fundamental in establishing the extent of liability for businesses subject to the CCPA. We describe these lawsuits in greater detail here. Because these lawsuits will begin to define the contours and scope of the CCPA, businesses subject to the CCPA should keep a close eye on their progress.
3. The Office of the Attorney General lacks enforcement resources.
As we wrote in a previous article, despite significant enforcement expenditures by the Office of the Attorney General (OAG), it is still an agency with limited resources. This is even more true now that more of the OAG’s resources are likely devoted to COVID response and related urgent priorities. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if, as expected, it takes on large and well-funded companies. Media reports continue to indicate that the attorney general’s enforcement priorities will focus on (i) companies that handle large amounts of consumer-sensitive and critical data (e.g., health records and Social Security numbers) and (ii) the treatment of children’s data.
4. It is unclear whether we will see any CCPA amendments enacted this year.
A number of potential CCPA amendments continue to work their way through committees in the California legislature. However, in early April, the California Senate president pro tem issued a memo that asked California Senate policy committee chairs to “put a pause on the evaluation of existing bills … in order to focus on the Senate response to issues [related to the pandemic] that we must immediately address.” The memo also requested that senators reconsider their priorities and reduce the number of bills they carry accordingly. Given this instruction, it is unclear whether we will see any CCPA amendments enacted this year. This could result in, for example, a failure to extend the partial exemptions for employees, job applicants and business contacts.
5. A new ballot initiative is likely to significantly amend and expand the CCPA.
The California Privacy Rights Act (CPRA) is a ballot initiative (led by the same forces behind the CCPA, privacy rights advocacy group Californians for Consumer Privacy and Celine and Alastair Mactaggart) intended to create new privacy obligations and introduce more protective measures for the processing of personal information about California residents. In early May, Californians for Consumer Privacy announced that it had enough signatures to qualify the CPRA for the November 2020 ballot. The CPRA must clear a number of hurdles—including certification of the signatures required to place the initiative on the ballot and the election itself—between now and the date it would take effect (January 2023). In the meantime, we recommend watching these developments with an eye toward the potential future of California privacy. You can also read our On the Subject about the CPRA’s key provisions.
CCPA compliance remains important. As a reminder, the CCPA is currently in effect and businesses are already obligated to comply with all of its provisions (including with respect to the 12-month lookback period for consumer requests), and not only the data-security provisions that became enforceable on January 1, 2020. As we previously wrote, delayed enforcement does not mean a free pass. The California attorney general has publicly stated that his office will enforce violations that occurred prior to the enforcement date. Unless the attorney general drastically changes course, businesses must continue to comply with and improve upon their CCPA programs.