Note: Since the writing of this blog CCPA has been replaced with CPRA.
The CCPA: California Consumer Privacy Act, first enacted in 2018, became effective on January 1st, 2020. The law provides a variety of privacy rights to consumers, including the right to request the deletion of collected personally identifiable information (“PII”), the right to opt-out of the “sale” of PII, and the right to file lawsuits directly against businesses under certain circumstances.
With the CCPA enforcement underway, businesses will have to continue to review their internal Privacy Policies and adjust accordingly. This article will provide details pertaining to when enforcement of the CCPA will begin so that your business may adequately prepare to comply with the law and avoid potentially heavy fines and lawsuits. To that end, this article will discuss the following two topics:
- When will the CCPA be enforced?
- The CCPA “look back” period
When is the CCPA enforcement date?
Despite the CCPA going into effect on January 1st, 2020, the California State Attorney General may not bring enforcement actions under the law until July 1st, 2020. Until then, the CCPA requires the State Attorney General to adopt regulations furthering the purpose of the law.
Amid the coronavirus pandemic, multiple trade associations and companies have called for the CCPA enforcement date to be delayed. These entities include advertising and marketing groups, internet and online services, and telecommunications companies. As discussed in the letter to the California Attorney General, the group expressed concerns that businesses would not possess the “operational capacity” to be compliant by the July 1st enforcement date.
Furthermore, the letter to the state Attorney General cited two reasons for the request to delay CCPA enforcement. One, because of nationwide stay-at-home orders, businesses are unable to have staff onsite to develop new systems and procedures to ensure compliance with the law. The letter further states that businesses should not be forced to consider the tradeoffs between decisions that are best for the health of employees and decisions that would assist in complying with the law and avoiding lawsuits. Two, the letter argues that, irrespective of the pandemic itself, businesses do not have time to comply with finalized regulations with only months to comply.
Despite calls to delay enforcement of the CCPA, the California Attorney General has announced that the enforcement period will begin on July 1st, 2020 as originally planned. Thus, businesses should be prepared to fully comply with both the CCPA itself and the enforcement regulations. As stay-at-home orders are lifted in the coming weeks and months, businesses may be better positioned to implement necessary systems and procedures to comply with the CCPA.
The CCPA “look back” period
Under some circumstances, businesses’ compliance obligations may have begun prior to January 1st, 2020. That is because the CCPA requires that businesses, when responding to consumer requests for disclosures or requests for deletion of collected PII, must cover the 12-month period that precedes the receipt of the consumer’s request. To illustrate, if a business received a request for the categories of PII it has collected about the consumer on January 1st, 2020, when the CCPA went into effect, the business would have to provide the categories of PII it collected from January 1st, 2019 to January 1st, 2020.
Furthermore, the CCPA requires that a business’s Privacy Policy provide a list of categories of the PII that it has collected about consumers in the preceding 12 months, a list of categories of PII it has sold in the preceding 12 months, and a list of categories of PII it has disclosed for a business purpose in the preceding 12 months. Thus, under certain circumstances, compliant Privacy Policies must reflect the information sharing practices of the business prior to January 1st, 2020.
To prepare for the CCPA’s enforcement date of July 1st, consider using Termageddon’s Privacy Policy Generator to help ensure your business is prepared to be compliant.