CCPA Countdown: California AG Confirms That What Your Company Does Starting January 1 Is Fair Game for AG Enforcement
With about two weeks until the California Consumer Privacy Act (CCPA) becomes effective, the California Attorney General (AG) on Monday shed some light on an open question about CCPA enforcement timing. Specifically, the AG made clear that even though AG enforcement will be delayed, when he does begin to enforce the law July 1, 2020, his office will be looking at business activities starting on January 1, 2020 as fair game.
As background, in 2018, shortly after the CCPA itself was adopted, the California legislature amended the law to delay AG enforcement until July 1, 2020 or six months after the final CCPA regulations were published, whichever was sooner. As 2019 comes to a close without the implementing regulations being finalized, it is becoming clear that July 1 will be the date that AG enforcement can begin.
Some in industry had asked the AG for this delay in enforcement to also effectively function as a grace period. For example, the U.S. Chamber wrote in its March comments to the AG:
The . . . Attorney General [should] clarify that, when enforcement starts, any enforcement that occurs will only be based on business conduct or alleged business non-compliance that takes place on or after the enforcement date. Enforcement should not be based on conduct that occurs between the effective date—January 1, 2020—and the enforcement date of the Act.
But the AG’s remarks this Monday made clear that would not be the case. Despite a delayed enforcement date, the AG plans for enforcement actions to include business activities that occur during the first half of the year.
AG enforcement is of course not the only enforcement mechanism contemplated by the CCPA. The law also establishes a private right of action in the case of a security breach of certain personal information. That aspect of CCPA enforcement was never delayed by the legislature, so accordingly, the private right of action will be available for individuals to exercise starting January 1.
Businesses are scrambling to operationalize the CCPA’s onerous and often confusing requirements, which include revising and updating privacy policies and establishing mechanisms to facilitate and respond to a whole host of new consumer rights—including rights to access, portability, deletion, opt-out, opt-in (for minors), and non-discrimination. This scramble, which was on display at recent public hearings conducted by the AG, is further complicated by the fact that the AG has not yet finalized the law’s implementing regulations, which remain in draft form.
Despite these complications, the AG’s Monday remarks make clear that there will be no AG enforcement grace period, illustrating how critical it is to be in compliance with the law starting January 1.
If your business needs help in the race to January 1, feel free to contact our Privacy team.