The novel coronavirus (“COVID-19”) pandemic has required businesses to adapt to unforeseen disruptions. However, one thing that has remained constant is the California Consumer Privacy Act (“CCPA”) enforcement date of July 1, 2020. Earlier this month, a coalition of approximately 60 businesses sent a letter to California Attorney General Xavier Becerra asking that the CCPA enforcement date be delayed until January 2, 2021 because of ongoing health and economic worries created by COVID-19. Civil Code Section 1798.85(c) states that “the Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” In an email to Forbes magazine, an advisor for the California Attorney General’s Office said that they are “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and “encourage[d] businesses to be particularly mindful of data security in this time of emergency.” Consequently, because the final regulations have not been published, July 1, 2020 remains the CCPA enforcement date. Given the foregoing, businesses working to weather the damage caused by COVID-19 also need to be mindful of their compliance obligations under the CCPA.
What are the CCPA Enforcement Measures?
The CCPA went into effect on January 1, 2020. The California Attorney General’s Office has rolled out regulations to clarify and interpret the CCPA. The CCPA regulations are currently in their third draft form, the latest comment period having ended on March 27, 2020. In general, the CCPA was passed in order to protect consumers’ privacy rights by imposing obligations on how businesses collect, use and share California State residents personal information. Among other measures, the CCPA has codified California consumers’ rights to: 1) opt-out of the sale of their personal information to third parties; 2) request to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and 3) request that businesses delete personal information that has been collected from/about them.
Failure to comply with CCPA regulations can lead to substantial economic repercussions. California consumers can bring private rights of action against businesses for data breaches that have exposed their non-encrypted and non-redacted personal information to unauthorized third parties. Statutory damages contemplate the greater of actual damages, or between $100 and $750 per consumer, per incident. The California Attorney General is otherwise tasked with enforcing compliance with the CCPA. Businesses that receive notices of alleged violations will be afforded thirty (30) days to cure any instances of non-compliance. If businesses are unable to cure, civil penalties will range from $2,500 for non-intentional violations, up to $7,500 for intentional violations. Notwithstanding the foregoing, the Attorney General’s Office has communicated that it will only pursue the most egregious and flagrant CCPA cases at first.
Considering the significant penalties associated with violating the CCPA, it is recommended that businesses work with knowledgeable counsel to ensure CCPA compliance by the July 1 enforcement date.