As we’ve been writing about in this space for some time, today marks the opening of the CCPA enforcement era. Despite protestations from the business community, and requests for delay due to the lack of regulations until early June and the ongoing COVID-19 state of emergency, AG Xavier Becerra declined to extend the deadline, saying “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”
It’s unclear what enforcement will look like, but the inability to comply will not be an excuse from this point forward. There are things you can do right now if your company is subject to CCPA compliance.
-
Make CCPA compliance a priority. COVID-19 has certainly thrown everyone off track and caused businesses to face economic and operational hardships. Penalties and fines start today, and could add up quickly for non-compliance. Check your customer-facing processes and notices to ensure that they align with both the CCPA and the final regulations (although still not yet operational).
-
Review any COVID-19 related operational changes and square up with CCPA. You may be collecting new and different employee information or the remote nature of your workforce may have changed how your company is collecting, processing, and storing personal information. Evaluate all these changes and insure that your policies match current operational procedures. Don’t forget to assess your new third-party vendors.
-
Prioritize consumer rights requests and responses. COVID-19 has not given businesses any grace period from compliance with response to CCPA consumer rights requests, which were effective as of January 1. You should already have operationalized this response process to ensure that you provide adequate and timely responses to requests that your business is receiving to exercise right to know, right to delete, or “do not sell.” And speaking of “Do Not Sell,” it’s time to consider whether your business “sells” personal information in the context of the CCPA and add the required link to your website.
-
Update that privacy policy. If the CCPA applies to your business, ensure that your privacy policy has been updated to provide the appropriate (and required) notices to California residents. Hint: If it’s dated before January 1, 2020, it probably needs work. The final regulations provide granular requirements for notice content and where and how notices must be given. This will likely be a major area for AG enforcement, since non-compliance will be obvious.