Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them; the right to know what businesses do with that information; and, the right opt out of the sale of certain personal information if a business sells that personal information. In turn, qualifying businesses that do business in California must institute certain policies, practices, and methods that allow consumers to effectuate those rights.
CCPA Then and Now: The Road to a “Final” Version
The CCPA was signed into law on June 28, 2018, became operative on January 1, 2020, and called for the Attorney General to promulgate implementing regulations before July 1, 2020. Due in part because the Attorney General had nearly two years to promulgate implementing regulations, the scope of businesses’ obligations under the law has been in flux pending the finalization of the regulations.
Since the CCPA was first signed in law, it has undergone many changes, significantly affecting its impact. In September 2018, just two months after the CCPA was signed, the California Legislature passed amendments that significantly changed its scope and how it would be enforced. (Read more about those amendments here). The following year, on October 10, 2019, the California Legislature passed additional amendments that further changed the scope of the CCPA. (Read about those amendments here). Part of those amendments was a bill that, with respect to information used in Business to Business (“B2B”) transactions and employee information used for employment purposes, delayed businesses’ obligations to comply with most of the CCPA until January 1, 2021. Then, throughout late 2019 and early 2020, the Attorney General released iterations of proposed implementing regulations, for public comment. Those regulations became finalized on August 14, 2020. The final text of the regulations can be found here.
But Wait, There’s More!
Due to the uncertain scope of business obligations and additional strain caused by the COVID-19 pandemic, businesses and trade groups sought to delay the Attorney General’s enforcement of the Act. Although the Attorney General did not agree to delay enforcement, he stated that his office may “exercise prosecutorial discretion if warranted.”
The CA Legislature, however, was persuaded by the businesses and groups, at least in part, and delayed compliance requirements for certain provisions of the CCPA. On September 1, 2020, the CA Legislature passed a bill extending the delay of business obligations with respect to certain personal information used in B2B transactions and for certain employment purposes until January 1, 2022. Businesses will still need to comply with the CCPA’s notice-at-the-time-of-collection requirement and are still subject to the CCPA’s data breach provision, which gives consumers the statutory right to bring legal actions against businesses for certain data breaches. But, business can rest easier knowing that at least some of the burden of compliance is delayed for another year. The full text of that bill is available here.