The California Attorney General will soon begin to fully implement the California Consumer Privacy Act of 2018 (“CCPA”), the most comprehensive privacy law in the United States. The CCPA grants California residents new privacy rights and regulates businesses that obtain or process the personal data of California residents. It also gives consumers a private right of action for a data breach and grants new enforcement power to the Attorney General. We previously summarized key provisions in the CCPA in our advisory Preparing for the Inevitable: It’s Time to Begin Planning for the CCPA.
Enforcement to Commence on July 1
In January, the CCPA went into effect but enforcement was delayed until California’s Attorney General Xavier Becerra finalized the underlying regulations, or July 1, 2020, whichever came first. With about a month to go, the regulations are still not final. Nevertheless, Attorney General Becerra has announced that his office will move forward with enforcement of the CCPA starting on July 1. Though some businesses had argued that a delay in enforcement would be appropriate because of the coronavirus pandemic, the Attorney General rejected that idea. Instead, in a recent press release, he asserted that the impact of the pandemic has made it more important than ever to focus on privacy rights given consumers increased “dependency on online connectivity.”
The reality is that COVID-19 is forcing families to adjust to a new way of living and connecting remotely. Whether it’s our children’s schooling, socializing with family and friends, or working remotely – we are turning to mobile phones and computers as a lifeline. With such dependency on online connectivity, it is more important than ever for Californians to know their privacy rights.
What You Need to Do to Comply With the CCPA
By all indicators, the CCPA’s reach is broad. Since it became effective at the beginning of the year, private litigants from across the country have already started asserting claims under the act. At least one private litigant has argued that the CCPA creates a new standard of law. All of this underscores the need to regularly monitor and assess the impact of the CCPA on your business’s privacy practices, even if you are not located in California.
The steps necessary to comply with the CCPA is very much a function of how a particular business operates and communicates with its customers. If the CCPA applies to you (which is probably does if you regularly interact with California consumers online), the proposed regulations mandate in detail how and when businesses should prepare consumer notices, the content required in privacy policies, and the methods companies should use in responding to and verifying consumer requests. The proposed regulations also provide guidance on the obligations of service providers, use of authorized agents, training of individuals handling personal information, and recordkeeping.
Key issues addressed in the proposed regulations include:
Consumer Notices. The regulations describe in detail where, when, and how notices should be presented and designed, and describe the content they must include. These requirements differ depending on the specific business and data collection practices. For example, an online company that collects information has different obligations than a business that collects information only offline. In addition, there are different requirements for notice based on the reasonable expectations of consumers. Thus, a more prominent and “just-in-time” notification might be required if a business is collecting information in a way that might surprise the consumer, such as a flashlight application that collects geolocation information.
Though there remain many open questions about the CCPA and how exactly it will be enforced, companies need to take immediate steps to comply now. Nutter will continue to monitor CCPA developments and is ready to assist clients with their compliance obligations.