As of today, July 1, 2020, the California Attorney General (“AG”) will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”), which went into effect on January 1, 2020. Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation. The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information; indeed, a significant amount of CCPA class action litigation has already been filed. See our prior posts for a detailed analysis of the CCPA and its requirements. In connection with the commencement of CCPA enforcement activity, California AG Xavier Becerra issued the following statement:
Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says “Do Not Sell My Personal Information.” Click on it. Remember, it’s your data. You now get to control how it’s used or sold.
The AG has the authority to bring enforcement actions that cover business activities going back to the CCPA’s effective date. The AG has denied repeated requests from California businesses to delay enforcement due to challenges in complying brought on by the COVID-19 pandemic.
This despite the fact that the AG’s proposed regulations clarifying certain CCPA obligations are not yet final. On June 1, 2020, the AG filed the regulations with the Office of Administrative Law (“OAL”) and requested an expedited review to make them effective on July 1, 2020. As of the time of this writing, the OAL had not yet given its final approval to the proposed regulations. The OAL has 30 working days (plus an additional 60 calendar days pursuant to an Executive Order currently in place) to review and approve the proposed regulations, then file them with the California Secretary of State. This could mean that the regulations will not take effect until October 1, 2020. For more details, see our prior post.
As we await a potential wave of AG enforcement and the finalization of the CCPA regulations, the state of California’s privacy laws remains fluid. On June 24, 2020, the California Secretary of State confirmed that the California Privacy Rights Act (“CPRA”) has officially obtained enough signatures to appear on the November 2020 ballot. If approved by California voters, the CPRA will significantly expand the requirements of the CCPA and create a new Privacy Protection Agency in California to enforce California’s privacy laws. See our prior post for more details.
However, given that the AG is now enforcing the CCPA, businesses need to take action as quickly as possible to update privacy notices, implement processes to comply with individual rights requests, ensure that contracts are in place with service providers, and address other applicable CCPA requirements.