Previously, we wrote about the industry leaders that are encouraging California’s Attorney General to delay enforcement of the California Consumer Privacy Act (CCPA). However, it should be noted that this may not reflect the consensus, as Consumer Reports has issued a statement encouraging the Attorney General to move forward with enforcing the CCPA, even with the current COVID-19 pandemic. Furthermore, the office of the California Attorney General recently emphasized that it will not alter the current enforcement timeline.
Consumer Reports' Request
In its statement on Monday, March 23, 2020, Consumer Reports stated that the potential privacy risks to consumers due to delayed enforcement was too great, especially in light of the increasing reliance on online communications in almost every area of modern life, from shopping and work to telehealth. To this extent, Consumer Reports is pushing policymakers to protect personal safety and security in light of COVID-19.
How California is Planning on Enforcing the CCPA Now?
An advisor to the California Attorney General Becerra recently stated that the office of the Attorney General will continue towards enforcement of the CCPA beginning July 1, 2020. While the office of the Attorney General is mindful that there will be difficulties added by COVID-19, they stressed to businesses that they should remain mindful of protecting the personal information of their consumers. Previously, the Office of the California Attorney General had communicated that enforcement would generally be limited to (a) the most egregious, flagrant cases and (b) there would only be enough resources in the office of the Attorney General to pursue a few cases each year. Also, while the CCPA took effect on January 1, 2020, actual enforcement actions regarding the CCPA were not contemplated to begin until July 1, 2020. Furthermore, the Attorney General will be able to retroactively look to a covered business's compliance as of the effective date of the CCPA.
What Do Businesses Need to Do Now?
Businesses should make efforts to determine their compliance strategy for the CCPA as soon as possible. Since enforcement will not be delayed, businesses are not relieved from their obligation to comply with the CCPA. Businesses should, if resources permit, engage third-parties to create a CCPA compliance plan and work with IT professionals to ensure CCPA compliance in addition to remote work capabilities where possible. While there are practical issues with compliance due to the not-yet finalized regulations proposed by the Attorney General and the lack of in-person coordination possible due to COVID-19, this currently does not limit a business's obligations under the CCPA, especially given the advent of video-conferencing software and team-communication platforms meant to aid remote work circumstances. Furthermore, while the Attorney General claims it will only pursue egregious and flagrant cases at first, this will likely expand to infractions for non-compliance over time.
Lastly, regardless of the enforcement rights of the Attorney General, the private right of action regarding data breaches under the CCPA remains in place. Class-action lawsuits have already begun under the CCPA, and will likely continue to increase significantly as time moves forward.
Ultimately, businesses should move quickly towards compliance and creating a plan if they have not begun already. While 90 days is certainly not a lot of time to become compliant, it only stresses the need to move quickly and make basic measures towards compliance, such as updating terms and conditions for compliance, preparing disclosures, and mapping where data is stored and how it is shared.