On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are still digesting the CCPA and draft proposed regulations, and taking steps to meet the CCPA’s myriad compliance obligations.

Confusion persists about how businesses can comply with certain provisions of the CCPA. In October 2019, the California Attorney General issued proposed regulations that provide guidance on a number of key areas, but the regulations are not yet final. If adopted, violations of the proposed regulations will be treated the same as violations of the CCPA itself, with the same penalties. We have summarized the proposed regulations in previous alerts:

Comments on the proposed regulations can be viewed here.

While formal enforcement proceedings by the California Attorney General will not begin until July 1, 2020, it is possible the agency will pursue retroactive enforcement for violations that occur between January 1 and July 1, 2020. The California Attorney General may impose civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day cure period.

In addition, the CCPA grants California consumers a private right of action and statutory damages of $100 to $750 per incident against companies that experience a data breach caused by failure to implement and maintain reasonable security procedures. Those lawsuits may be filed at any time.

Companies that have not yet completed (or commenced) CCPA compliance efforts should continue (or get started) in an effort to mitigate CCPA risk. Due to “limited resources,” California Attorney General Xavier Becerra has stated the agency will “look kindly on those that … demonstrate an effort to comply.”