The CCPA: California Consumer Privacy Act, first enacted in 2018, became effective on January 1st, 2020. The law provides a variety of privacy rights to consumers, including the right to request the deletion of collected personally identifiable information (“PII”), the right to opt-out of the “sale” of PII, and the right to file lawsuits directly against businesses under certain circumstances.
With the CCPA enforcement date of the law drawing near, businesses will have to continue to review their internal privacy policies and adjust accordingly. This article will provide details pertaining to when enforcement of the CCPA will begin so that your business may adequately prepare to comply with the law and avoid potentially heavy fines and lawsuits. To that end, this article will discuss the following two topics:
- When will the CCPA be enforced?
- The CCPA “look back” period
When is the CCPA enforcement date?
Despite the CCPA going into effect on January 1st, 2020, the California State Attorney General may not bring enforcement actions under the law until July 1st, 2020. Until then, the CCPA requires the State Attorney General to adopt regulations furthering the purpose of the law.
Amid the coronavirus pandemic, multiple trade associations and companies have called for the CCPA enforcement date to be delayed. These entities include advertising and marketing groups, internet and online services, and telecommunications companies. As discussed in the letter to the California Attorney General, the group expressed concerns that businesses would not possess the “operational capacity” to be compliant by the July 1st enforcement date.
Furthermore, the letter to the state Attorney General cited two reasons for the request to delay CCPA enforcement. One, because of nationwide stay-at-home orders, businesses are unable to have staff onsite to develop new systems and procedures to ensure compliance with the law. The letter further states that businesses should not be forced to consider the tradeoffs between decisions that are best for the health of employees and decisions that would assist in complying with the law and avoiding lawsuits. Two, the letter argues that, irrespective of the pandemic itself, businesses do not have time to comply with finalized regulations with only months to comply.
Despite calls to delay enforcement of the CCPA, the California Attorney General has announced that the enforcement period will begin on July 1st, 2020 as originally planned. Thus, businesses should be prepared to fully comply with both the CCPA itself and the enforcement regulations. As stay-at-home orders are lifted in the coming weeks and months, businesses may be better positioned to implement necessary systems and procedures to comply with the CCPA.
The CCPA “look back” period
Although CCPA enforcement will begin on July 1st, 2020, businesses must be mindful that the law officially went into effect on January 1st, 2020. This means that businesses found to be non-compliant with the law at any point beginning from January 1st on risk facing enforcement actions and fines under the CCPA.
Under some circumstances, businesses’ compliance obligations may have begun prior to January 1st, 2020. That is because the CCPA requires that businesses, when responding to consumer requests for disclosures or requests for deletion of collected PII, must cover the 12-month period that precedes the receipt of the consumer’s request. To illustrate, if a business received a request for the categories of PII it has collected about the consumer on January 1st, 2020, when the CCPA went into effect, the business would have to provide the categories of PII it collected from January 1st, 2019 to January 1st, 2020.