CCPA enforcement begins amid pandemic and regulatory uncertaintyJuly 7, 2020
On July 1, 2020, the office of the California Attorney General (AG) began enforcement of the California Consumer Privacy Act (CCPA).
The CCPA—generally viewed as the broadest digital privacy law in the U.S. which poses significant concerns for practically any business with a website accessible to California consumers—became effective on Jan. 1, 2020. However, after its effective date, CCPA was subject to a six-month ramp-up period, such that enforcement was not to begin until July 1, 2020.
Considering several developments, there were questions as to whether enforcement would begin on July 1, 2020. During the ramp-up period, the California AG issued regulations governing the implementation of the CCPA. Confusingly, those regulations were modified several times. It was not until June 1, 2020, that the California AG finalized the regulations.
The regulations must now undergo a 90-day review by the California Office of Administrative Law, after which their final text will be filed with the California Secretary of State. Only then—around the end of August—will the regulations become enforceable. Thus, while CCPA is itself in effect, the status of its regulation has been a matter of significant procedural uncertainty. In addition to that procedural uncertainty, businesses across the world are also dealing with the 2019 novel coronavirus (COVID-19) pandemic. Understandably, many industry leaders called on the California AG to delay its CCPA enforcement efforts.
We now know that the California AG has rejected those requests and despite the current environment—the pandemic still raging and regulations that are not yet technically effective—began moving ahead with enforcement on July 1, 2020. In an interview with The Washington Post, the California AG confirmed: “For sure we will start enforcing on July 1.” Now, we are seeing reports that enforcement in fact began as promised, with companies receiving compliance notices before the July 4 holiday weekend.
There is only one way to interpret this move by the California AG: businesses cannot wait to ensure compliance with CCPA’s provisions.
What you can do now:
- Read the law and the still-pending implementing regulations
- If you haven’t yet, contact an attorney to ensure you’ve taken all possible steps to comply with the CCPA
- If you receive a compliance notice from the California AG, ensure that you comply with all deadlines and next-step requirements, preferably with the advice of an attorney
If you need any assistance with CCPA compliance or other data privacy and security matters, contact our Data Privacy & Cybersecurity Practice Group.