With July 1, 2020, looming as the date the Attorney General can begin enforcing the California Consumer Privacy Act (CCPA), many businesses are still playing catch-up to understand and comply with the law’s requirements. Despite requests from covered businesses to delay enforcement, the Attorney General has indicated California will proceed with enforcement despite the delay in finalizing the regulations and the effects of the COVID-19 pandemic.
The comment period for the second modified regulations on implementation of the CCPA released by the California Attorney General’s Office closed on March 27, 2020. The second set of modifications contained substantive changes, but those changes were less significant than the first set of modifications, indicating that the Attorney General may be closer to issuing final regulations. These final regulations will be key for companies to move forward with implementing more detailed policies and procedures for CCPA compliance.
RJO’s Cybersecurity and Privacy Group can provide our clients with customized and practical assistance with CCPA preparation and compliance efforts.
While the Second Modified Proposed Regulations contain fewer changes than the first set of modifications, they demonstrate that the regulations remain in flux on important implementation questions. The Attorney General walked back changes from the first set of modifications and provided new requirements on disclosures and consumer rights. These changes reflect input from both consumer privacy advocates and the business community. In the second modifications, the AG:
More changes are likely to follow as the Attorney General reviews comments on the second modifications.
Even as we await final regulations from the Attorney General, plaintiff’s attorneys have begun testing the limits of the private right of action under the CCPA, including testing enforcement of the CCPA through California’s Section 17200 Unfair Competition Law (“UCL”). Examples include:
While the courts may ultimately decide that private enforcement does not extend beyond security breaches or that a CCPA violation cannot be transformed into a UCL violation to avoid the CCPA bar on private enforcement, litigation testing the limits of the CCPA is likely to continue for the foreseeable future.
As privacy legislation in state legislatures and the federal government has stalled, the CCPA has taken on an increasingly central role in privacy compliance in the United States. Recently, the Washington state legislature was unable to pass SB 6281, the Washington Privacy Act. Washington lawmakers were unable to resolve a conflict over giving consumers a private right of action or limiting enforcement power to the state attorney general and were thus unable to pass comprehensive data privacy legislation. This news comes at the heels of reports that bipartisan negotiations on a federal privacy bill have hit another impasse this month, also on issues of enforcement power as well as preemption.
As lawmakers are experiencing across the nation, it is very difficult to implement comprehensive data privacy legislation that affords consumers broad rights with meaningful enforcement mechanisms. In this regard, the CCPA is significant not just for its early adoption, but for complementing Attorney General enforcement actions with an express private right of action for individual consumers.
As described above, we are only beginning to see how plaintiffs might pursue damages under the CCPA, and we will soon start seeing how the Attorney General will approach the enforcement of the CCPA. Many businesses will find themselves subject to new claims and investigations, and our clients must be prepared to minimize and mitigate liability risks moving forward.
While CCPA implementation and enforcement are still in flux, privacy activists are attempting to put an even more stringent privacy initiative on California’s ballot for the fall. While the group has been gathering signatures, the COVID-19 lockdown measures may prevent the group from reaching the number of signatures required to make it on the November 2020 ballot. As of February 13, the CCPA 2.0 measure reported 25% of the 623,212 signatures necessary, but with an April 21 deadline in place for counties to place the measure on their ballots, the initiative’s fate is far from certain.
Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.
The materials provided at this site are offered for informational and educational purposes only, and are not offered as and do not constitute legal advice or legal opinions. The transmission or receipt of information through this website, or communication with Rogers Joseph O’Donnell via email through this website, does not constitute or create an attorney-client relationship between us and any recipient.