Despite concerns expressed by the business community, enforcement of the California Consumer Privacy Act (CCPA) will not be delayed as a result of the COVID-19 pandemic. California Attorney General Xavier Becerra recently clarified that his office "is committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. … [W]e are all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency."
Given this announcement, businesses must not delay the implementation of the systems, policies and procedures necessary to enable them to meet the law's requirements for protecting consumers' privacy rights and ensuring reasonable security in protecting sensitive consumer information.
In addition to the AG's enforcement authority, the CCPA provides a limited private right of action in circumstances where the personal information of California consumers is subject to a data breach caused by a business' failure to maintain reasonable security. Subject to limited exceptions, prior to bringing any private action, the CCPA requires that the subject business be provided a specific notice and cure period. As anticipated, these limitations have not discouraged CCPA litigation, with putative class actions having already been filed for alleged violations throughout U.S. District Courts in California.
Companies assessing their litigation risks have much to watch for, as these cases—and the issues they raise—progress, including whether a non-data breach private right of action under the CCPA will be permitted, whether consumers can utilize the UCL to prosecute CCPA violations, and whether the new law can be applied retroactively.