August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

Today’s The Day: CCPA Enforcement Begins

As we’ve been writing about in this space for some time, today marks the opening of the CCPA enforcement era.  Despite protestations from the business community, and requests for delay due to the lack of regulations until early June and the ongoing COVID-19 state of emergency, AG Xavier Becerra declined to extend the deadline, saying “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

It’s unclear what enforcement will look like, but the inability to comply will not be an excuse from this point forward.     There are things you can do right now if your company is subject to CCPA compliance.

  • Make CCPA compliance a priority.  COVID-19 has certainly thrown everyone off track and caused businesses to face economic and operational hardships.   Penalties and fines start today, and could add up quickly for non-compliance.  Check your customer-facing processes and notices to ensure that they align with both the CCPA and the final regulations (although still not yet operational).

  • Review any COVID-19 related operational changes and square up with CCPA.  You may be collecting new and different employee information or the remote nature of your workforce may have changed how your company is collecting, processing, and storing personal information.  Evaluate all these changes and insure that your policies match current operational procedures.  Don’t forget to assess your new third-party vendors.

  • Prioritize consumer rights requests and responses.  COVID-19 has not given businesses any grace period from compliance with response to CCPA consumer rights requests, which were effective as of January 1.  You should already have operationalized this response process to ensure that you provide adequate and timely responses to requests that your business is receiving to exercise right to know, right to delete, or “do not sell.”   And speaking of “Do Not Sell,” it’s time to consider whether your business “sells” personal information in the context of the CCPA and add the required link to your website.

  • Update that privacy policy.   If the CCPA applies to your business, ensure that your privacy policy has been updated to provide the appropriate (and required) notices to California residents.   Hint:  If it’s dated before January 1, 2020, it probably needs work.   The final regulations provide granular requirements for notice content and where and how notices must be given.   This will likely be a major area for AG enforcement, since non-compliance will be obvious.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 183

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732