With the July 1 enforcement of the California Consumer Privacy Act (CCPA) less than a month away, the state attorney general has finally submitted the final text of the proposed CCPA regulations to the California Office of Administrative Law. This article discusses the current landscape and provides practical steps that companies can take before enforcement begins.
There has been much discussion about when the attorney general would take steps to finalize the proposed regulations by submitting them to the California Office of Administrative Law (OAL) for review. The attorney general has now taken that crucial step, submitting the final text of the proposed regulations to OAL on June 1 and requesting expedited review in the hopes that the regulations will be adopted on or before July 1. As discussed in an earlier alert the attorney general followed the expected path and finalized the text of the proposed regulations without making any further changes to the text of the last modified regulations released on March 11, 2020 (Second Set of Modifications).
The next step is for the OAL to review and approve the final proposed regulations. Once approved by the OAL, the final proposed regulations will be filed with the secretary of state and become enforceable. The OAL normally has 30 working days to review and approve regulations. Governor Gavin Newsom extended this review period for an additional 60 calendar days due to the coronavirus (COVID-19) crisis with an executive order he issued on March 30, 2020. Although the attorney general recognized the extension in the submission to the OAL, the attorney general requested the review to be complete within 30 days so that the regulations are enforceable by July 1, 2020, as mandated by the CCPA.
While it remains unclear whether the final regulations will be in force by July 1, the final text of the proposed regulations provide greater clarity for businesses finalizing their CCPA compliance efforts. Nevertheless, many ambiguities remain, such as the acceptable form for an opt-out button and how the CCPA applies to behavioral advertising.
In addition to questions around when the regulations would be final, there has also been discussion about a possible pushback of the enforcement date to January 2021 in light of the COVID-19 outbreak. A group of trade associations, in two letters addressed to the attorney general, emphasized the effects of operational disruptions created by COVID-19 on businesses’ CCPA compliance efforts such as unavailability of onsite staff to build necessary systems for CCPA compliance. It is now clear that these attempts have not succeeded. In a press release on June 2, 2020, the attorney general emphasized that that the enforcement will begin on July 1, stating “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”
Despite the lack of an effective date for the final CCPA regulations, it is important for companies to take the necessary steps to comply with the CCPA before July 1. As highlighted in a previous alert, the attorney general may pursue civil enforcement penalties, which could be substantial, if violations are not cured within 30 days after the attorney general provides notice of the alleged noncompliance. A civil penalty under the CCPA may result in up to a $2,500 fine for each violation and up to a $7,500 fine “for each intentional violation.”[1] The penalties can also accumulate quickly. For example, if a CCPA violation involves 100 consumers, the civil penalty could be up to $250,000 or up to $750,000 for intentional violations. Given the deadline and potential penalties, it is important that companies subject to the CCPA comply with the law. The following are some practical steps for companies to consider before July 1:
For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. Find resources on how to cope with the post-pandemic reality on our NOW. NORMAL. NEXT. page and our COVID-19 page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts, and download our biweekly COVID-19 Legal Issue Compendium.
The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the proposed regulations, and how to ensure compliance before July 1. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
San Francisco
Carla Oakley
Michelle Park Chiu
Los Angeles
Joseph Duffy
Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams
New York
Martin Hirschprung
Washington, DC
Dr. Axel Spies
[1] CCPA, Cal. Civil Code § 1798.155(b).