Quick Links



Friday, April 3, 2020

No Delay on July 1 CCPA Enforcement

While businesses and their employees adjust to stay-at-home orders, the latest from the California Department of Justice (DOJ) is that there’s no delay to California Consumer Privacy Act (CCPA) enforcement. The landmark CA privacy law became effective on January 1, 2020, and the CA DOJ expects to finalize the draft rules implementing the CCPA and keep to the enforcement start date of July 1, 2020. Various coalition groups impacted by the new law have made pleas for a delay in enforcement, and the DOJ has responded by announcing they have not considered delaying it.

The CCPA gives Californians specified rights over their personal information. These include the right to know and access what personal data a business has collected about a person, the right to be forgotten (i.e., request the deletion of your personal data, with certain exceptions) and the right to refuse (opt out) of the sale of your personal data.

If your business interacts with California consumers, it is critical that you ensure consumer-facing policies and systems are up to date and align internal processes (i.e., ensure processes support data access and portability and opting out of the sale of consumer data) and external processes (i.e., update service provider agreements, impose obligations on providers that support consumer requests and limit sharing with third parties) to requirements.

As the July deadline fast approaches, many businesses may be wondering how enforcement will unfold in light of employees having to work from home. Furthermore, considering that the draft regulations that aim to interpret the CCPA are not yet final, it is not completely illogical to have concerns over enforcement.

Still, the best advice is clearly to operate in a mode of great urgency. It is important for businesses to keep in mind that enforcement will retroactively consider their organization’s compliance as of the effective date of the new law, which was January 1. In theory, if you are a business subject to the CCPA, you should have met your compliance obligations by this date, at the latest.

The reality, of course, is that many businesses are still struggling to understand how the privacy law applies to their data operations. For businesses that have adapted their processes and systems to the new requirements, there are unresolved compliance questions on how adopted standards will play out against the final CCPA regulations. Overall, it is likely that many covered businesses have yet to fully comply.

Clearly, the current COVID-19 disruption does extend the time for businesses that have to comply with the CCPA to meet their obligations. There are many opinions out there on how the CA DOJ may react given a worsening public health crisis and the resource and time challenges posed by working from home.

The fact is that no one can predict what the Attorney General will do next. However, if you are a covered business, you should have implemented CCPA-aligned processes. If you are lagging behind, it is never too late to organize your compliance team and put everyone to task. And keep in mind that in times such as this, companies are vulnerable to increased cyberattacks and need to ensure their workforces are following best practices.

Your CCPA obligations have not ceased because of COVID-19, so ensure your team is still responding in a timely manner to all consumer requests. And if you are not fully compliant with CCPA, continue to work toward that goal as quickly as possible.

Need compliance help? Contact privacy expert Pippa Akem to learn more about our privacy services and solutions. For the latest updates and other information to help you keep your business running through disruption, visit our COVID-19 Resource Center.


comments powered by Disqus