Potential Delayed Enforcement of the CCPA in Light of the Coronavirus

Mar 23, 2020 Published Article

In light of recent developments surrounding COVID-19 (commonly referred to as the Coronavirus), including the “stay at home” lockdown order for nonessential businesses issued by Governor Newsom on March 19th, industry leaders are encouraging California’s Attorney General to delay enforcement of the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. This law was implemented to protect the use, sharing and selling of consumers’ personal information, amongst numerous other requirements.  The Attorney General is authorized to start enforcement actions pursuant to the CCPA staring July 1, 2020.

Attorney General Guidance

The State Attorney General was also tasked with providing guidance on compliance with the CCPA.  To date, the Attorney General has proposed the California Consumer Privacy Act Regulations.  These draft regulations have been modified twice, with the second proposed set of regulations subject to public comment and feedback due at the end of this week, on March 27, 2020.

Proposed Delay in Enforcement of the CCPA

A variety of organizations have written a letter to the Attorney General proposing a delay in the enforcement of the CCPA due to the unique difficulties set forth by COVID-19.  These organizations include:

  1. The California Attractions and Parks Association (including many of California's major tourist attractions, such as the Disneyland Resort, Knott's Berry Farm, Six Flags and Universal Studios);
  2. The California Business Properties Association, representing commercial real estate professionals (including the International Council of Shopping Centers, the California Chapters of the Commercial Real Estate Development Association, the Retail Industries Leaders Association and the Institute of Real Estate Management and AIR CRE);
  3. The California Retailer's Association, representing and promoting California's retail industry;
  4. CalChamber, a California non-profit entity that gives guidance on and advocates for businesses regarding labor law issues;
  5. The National Business Coalition on E-Commerce and Privacy (representing consumer interests);
  6. Various technology-focused groups including the Silicon Valley Leadership Group, CompTIA, the Internet Coalition, the Email Sender & Provider Coalition, the Interactive Advertising Bureau, and TechNet;
  7. The Civil Justice Association of California, a California Non-profit organization that advocates on behalf of businesses; and
  8. Groups which are connected to or represent businesses in the 16 essential services are also asking for this delay, such as: UPS, the California Cable & Telecommunications Association, the Cemetery and Mortuary Association, Investment Company Institute, and Plumbing Manufacturers International.

The request has been made to delay enforcement of the CCPA until January 2, 2021.

The request notes that the CCPA is still evolving as guidance has yet to be finalized, and that COVID-19 is causing a delay to businesses in implementing compliance measures because there are no dedicated on-site staff available to build and test necessary new systems and processes, especially for measures that are required at physical locations.

From a practical perspective, the Attorney General has more pressing issues to address at this time, with the Coronavirus and the myriad of implications for state residents as a result of this pandemic.

What You Should Do

It will be important for business leaders to watch for the Attorney General’s response to this delay request, as well as any further guidelines issued regarding compliance with the CCPA.  Businesses should also note that any such delay will not impact consumers’ ability to bring a private right of action for a data breach.  Therefore, while dealing with all of the COVID-19 fallout, it is imperative that businesses continue to protect personal information, and maintain a strong cybersecurity framework.