COVID-19’s strain on businesses has prompted the federal and state governments to relax certain regulatory standards. Regardless of the pandemic’s increasing momentum in the United States, and in California particularly, the California Consumer Privacy Act (CCPA) remains alive and well — as evidenced by an amended class action filed on March 9, 2020, which seeks private enforcement of the CCPA in the U.S. District Court for the Northern District of California. The CCPA includes both a specific private right of action for breaches of California residents’ personal information, which took effect January 1, 2020, and enforcement by the California attorney general for any general noncompliance with CCPA, slated to begin July 1, 2020.

The amended class action complaint was filed against the high-end children’s apparel retailer Hanna Andersson and its e-commerce platform vendor, Salesforce.com, Inc. The complaint alleges CCPA violations by “failing to prevent Plaintiff’s and California putative class members’ nonencrypted and nonredacted [personally identifiable information] from unauthorized access and exfiltration, theft, or disclosure” on Hanna Andersson’s website and the Salesforce platform between September 16, 2019 and November 11, 2019. The lawsuit seeks between $100 and $750 for each California resident affected by the breach, injunctive relief, as well as attorney’s fees and costs.

This case provides an initial glimpse as to how courts will treat alleged CCPA violations, including some nuanced issues that are not clear under the CCPA. For example, while the CCPA was enacted by the time the breach transpired, the law did not take effect until January 1, 2020. Given the breach occurred during 2019, the court will need to determine whether a class action can be based on a data breach that occurred before the law officially went into effect.

AG enforcement is still slated to begin July 1, 2020

Meanwhile, Attorney General Becerra’s office has been revising its CCPA-related regulations and published its most recent changes to the public on March 11, 2020. The continued modifications, the fast-approaching July 2020 enforcement date, and the increased strain on businesses caused by COVID-19 have prompted a coalition of advertisers, the Motion Picture Association of America, and more than 50 other business groups to sign a letter to the attorney general’s office to request a postponement of enforcement of the CCPA until January 2021. This plead for a delay, however, does not appear to have moved the AG’s office.

The International Association of Privacy Professionals reported on March 24 that Becerra’s office is not currently entertaining any postponement, even with the complications of COVID-19, stating, “[r]ight now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first” and that businesses must be “mindful of data security in this time of emergency.¹

In any event, the AG should not be undertaking any enforcement efforts before July 1, 2020, even if the regulations are finalized sooner. Section 1798.185(c) of the CCPA provides that “[t]he attorney general shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” Thus, July 1 is still the operative date for AG enforcement unless a postponement is officially announced.

Key Points

• The CCPA private right of action requires there to be harm as a result of a failure to provide reasonable security. With businesses moving to remote access to continue to function during the pandemic, it is important to be mindful of security measures pertaining to personal information of consumers in a remote-working environment.

• Companies should not assume that enforcement of the CCPA by the attorney general will be postponed as a result of the COVID-19 pandemic. The AG has made clear the importance of protecting consumers’ privacy and the need to be particularly mindful of data security during a time of emergency.

Endnote