Despite the coronavirus (COVID-19) pandemic, the California attorney general intends to enforce the California Consumer Privacy Act (CCPA) beginning July 1, 2020, pending the anticipated approval from the California Office of Administrative Law (OAL) on the final text of the proposed CCPA regulations. This article discusses the scope of the new regulations and identifies practical steps that companies can take to ensure compliance before July 1.
Under the CCPA, July 1, 2020, is the earliest date that the Office of the California Attorney General may file an enforcement action.[1] The COVID-19 pandemic has sparked discussion about potentially postponing the July 1 enforcement date of the CCPA by the attorney general to January 2021. A group of trade associations, in two letters addressed to the attorney general, emphasized the effects of operational disruptions created by COVID-19 on businesses’ CCPA compliance efforts, such as the lack of onsite staff to help develop necessary compliance programs. Despite these concerns, the attorney general’s office has reaffirmed that July 1 remains its target enforcement date, stating in a recent press release that “[b]usinesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”[2]
The CCPA went into effect on January 1, 2020, but the new proposed regulations were submitted to the OAL for review on June 1, 2020, to ensure procedural compliance with the Administrative Procedure Act. The OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic to approve the regulations.[3] However, despite the extended review period, the attorney general has requested that the OAL complete the review within 30 days to ensure that the regulations are enforceable by July 1, as mandated by the CCPA.[4] While it remains unclear whether the final regulations will be in force by July 1, the final text of the proposed regulations provides greater clarity for businesses finalizing their CCPA compliance efforts.
While not exhaustive, this overview highlights some of the most important elements of the proposed regulations. For a more detailed overview of the regulations, please see our February 18, 2020 alert.
Most notably, the new final proposed regulations submitted by the attorney general’s office:
Although the above summary does not include all of the proposed changes to the regulations, they are representative of the tone and scope of the attorney general’s approach to this update. The impact of the modifications will vary depending on how a business collects, uses, and discloses personal information, and how far along a business is in its CCPA compliance efforts.
The attorney general has the authority to enforce any violation of the CCPA against a “business, service provider, or other person.”[5] The attorney general has indicated that after July 1, it intends to bring enforcement actions against companies for CCPA violations occurring as early as January 1, 2020, when the CCPA first went into effect. However, retroactive enforcement of CCPA violations is not expressly provided for in the statute. To the contrary, the CCPA merely states that enforcement actions cannot be filed before “six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”[6] Attempts by the attorney general to pursue violations occurring before the July 1, 2020, enforcement may be problematic and inconsistent with the statute.
As highlighted in previous alerts, the attorney general may pursue injunctive relief or civil enforcement penalties, which could be substantial and accumulate quickly if violations are not cured within 30 days after receiving notice from the attorney general.[7] While enforcement procedures are not spelled out in the statute or the final proposed regulations, enforcement of the CCPA by the attorney general will likely typically begin with letters, subpoenas, or requests for information issued to companies that the attorney general believes to be out of compliance. Similar to other statutory mechanisms, enforcement may culminate in a pre-litigation consent decree involving monetary and injunctive terms mandating that the company comply with new regulations. The attorney general may also impose a penalty of up to $2,500 for each violation and up to $7,500 “for each intentional violation.”[8] Companies that are unsure about their CCPA compliance may seek an advisory opinion by the attorney general for guidance on how best to comply with the new regulations.[9]
Considering the attorney general’s recent statement that it intends to begin enforcing the CCPA starting July 1, 2020, now is the time to take concrete steps to implement compliance with the statute’s requirements, including the following:
For a more robust description of these practical steps, please see our June 4, 2020 alert.
Though the above steps are aimed at ensuring companies’ compliance with the CCPA, companies should be aware that the finalized proposed regulations do contain certain ambiguities that the attorney general has failed to clarify, such as how the CCPA applies to behavioral advertising and what constitutes a “sale” of personal information. In light of these ambiguities, and without clarification from the attorney general on these issues before the enforcement period begins, it is likely that these ambiguities will be resolved in the course of CCPA enforcement through enforcement actions and attorney general opinions. As such, companies are encouraged to stay abreast of CCPA developments to ensure their continued compliance with the regulations. Morgan Lewis has been and will continue assisting companies in responding to California Attorney General enforcement actions related to cybersecurity and privacy matters.
For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. Find resources on how to cope with the post-pandemic reality on our NOW. NORMAL. NEXT. page and our COVID-19 page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts, and download our biweekly COVID-19 Legal Issue Compendium.
The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the proposed regulations, and how to ensure compliance before July 1. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
San Francisco
Carla Oakley
Michelle Park Chiu
Los Angeles
Joseph Duffy
Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams
New York
Martin Hirschprung
Washington, DC
Dr. Axel Spies
[1] Cal. Civ. Code § 1798.185(c).
[2] Press Release, State of Cal. Dep’t of Justice, Office of the Attorney Gen., Attorney General Becerra Submits Proposed Regulations for Approval Under the California Consumer Privacy Act (Jun. 2, 2020) (on file with author).
[3] Proposed Regulations Package Submitted to OAL, State of Cal. Dep’t of Justice, Office of the Attorney General, https://oag.ca.gov/privacy/ccpa.
[4] Written Justification for Earlier Effective Date and Request for Expedited Review, State of Cal. Dep’t of Justice, Office of the Attorney General.
[5] Cal. Civ. Code § 1798.155(b).
[6] Id. § 1798.185(c).
[7] See id.
[8] Id.
[9] Id. § 1798.155(a).