August 02, 2020 Practice Points

CCPA Enforcement Begins amid Pandemic

Businesses must not wait to ensure compliance with the CCPA’s provisions.

By Zachary R. Willenbrink

We are monitoring the coronavirus (COVID-19) situation as it relates to law and litigation. Find more resources and articles on our COVID-19 portal. For the duration of the crisis, all coronavirus-related articles are outside our paywall and available to all readers.

On July 1, 2020, the office of the California attorney general (AG) began enforcement of the California Consumer Privacy Act (CCPA). Generally viewed as the broadest digital privacy law in the United States, the CCPA poses significant concerns for practically any business with a website accessible to California consumers.

Ramp-Up Period

The CCPA became effective on January 1, 2020. However, after its effective date, the CCPA was subject to a six-month ramp-up period, such that enforcement was not to begin until July 1, 2020.

Implementing Regulations

Due to several developments, there were questions as to whether enforcement would begin on July 1, 2020. During the ramp-up period, the California AG issued regulations governing the implementation of the CCPA. Confusingly, those regulations were modified several times. It was not until June 1, 2020, that the California AG finalized the regulations.

The regulations now must undergo a 90-day review by the California Office of Administrative Law, after which their final text will be filed with the California secretary of state. Only then—around the end of August—will the regulations become enforceable. Thus, while the CCPA is itself in effect, the status of its regulation has been a matter of significant procedural uncertainty.

Enforcement Not Delayed

In addition to that procedural uncertainty, businesses across the world are dealing with the 2019 novel coronavirus (COVID-19) pandemic. Understandably, many industry leaders called on the California AG to delay its CCPA enforcement efforts.

We now know that the California AG has rejected those requests and despite the current environment—the pandemic still raging and regulations that are not yet technically effective—began moving ahead with enforcement on July 1, 2020. In an interview with the Washington Post, the California AG confirmed, “For sure we will start enforcing on July 1.” Rachel Lerman, California Begins Enforcing Digital Privacy Law, Despite Calls for Delay, Wash. Post (July 1, 2020). Now, we are seeing reports that enforcement in fact began as promised, with companies receiving compliance notices before the July 4 holiday weekend.

Recommendations

There is only one way to interpret this move by the California AG: businesses must not wait to ensure compliance with the CCPA’s provisions.

What you can do now:

  • Read the law and the still-pending implementing regulations.
  • If you haven’t yet, contact an attorney to ensure that you have taken all possible steps to comply with the CCPA.
  • If you receive a compliance notice from the California AG, ensure that you comply with all deadlines and next-step requirements, preferably with the advice of an attorney.

Zachary R. Willenbrink is an associate at Godfrey & Kahn, S.C., in Milwaukee, Wisconsin.


Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).