CCPA July 1, 2020 Enforcement Deadline Is Fast Approaching Despite COVID-19

With July 1, 2020, looming as the date the Attorney General can begin enforcing the California Consumer Privacy Act (CCPA), many businesses are still playing catch-up to understand and comply with the law’s requirements.  Despite requests from covered businesses to delay enforcement, the Attorney General has indicated California will proceed with enforcement despite the delay in finalizing the regulations and the effects of the COVID-19 pandemic.

The comment period for the second modified regulations on implementation of the CCPA released by the California Attorney General’s Office closed on March 27, 2020.  The second set of modifications contained substantive changes, but those changes were less significant than the first set of modifications, indicating that the Attorney General may be closer to issuing final regulations.  These final regulations will be key for companies to move forward with implementing more detailed policies and procedures for CCPA compliance.

RJO’s Cybersecurity and Privacy Group can provide our clients with customized and practical assistance with CCPA preparation and compliance efforts.

The Second Modified Proposed Regulations Leave Implementation Unclear

While the Second Modified Proposed Regulations contain fewer changes than the first set of modifications, they demonstrate that the regulations remain in flux on important implementation questions.  The Attorney General walked back changes from the first set of modifications and provided new requirements on disclosures and consumer rights.  These changes reflect input from both consumer privacy advocates and the business community.  In the second modifications, the AG:

• Deleted the requirement that businesses provide employees with a copy of the company privacy policy when collecting employee information.
• Withdrew a business-friendly limitation on how to define personal information
• Tightened restrictions on how service providers can use personal information.
• Left unclear the proper format of an opt-out logo or button.

More changes are likely to follow as the Attorney General reviews comments on the second modifications.

CCPA Class Action Litigation Has Begun

Even as we await final regulations from the Attorney General, plaintiff’s attorneys have begun testing the limits of the private right of action under the CCPA, including testing enforcement of the CCPA through California’s Section 17200 Unfair Competition Law (“UCL”).  Examples include:

• Taylor v. Zoom Video Comms, Inc., N.D. Cal., No. 5:20-cv-02170-SVK, filed on March 31, 2020 – Plaintiff alleges violations of the CCPA notice and opt-out requirements by way of Zoom’s disclosure of PII to Facebook and other third parties. In this regard, Plaintiff seeks to expand the application of the private right of action beyond security breaches under Cal. Civ. Code § 1798.150.
• Cullen v. Zoom Video Comms, Inc., N.D. Cal., No. 5:20-cv-02155-SVK, filed on March 30, 2020 – Plaintiff alleges similar violations of the CCPA notice requirements, as well as the security breach provision under Cal. Civ. Code § 1798.150(a). Plaintiff separately alleges that the notice violations qualify as a Section 17200 “unlawful” claim, despite the CCPA’s provision that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”  Civ. Code § 1798.150(c).
• Burke v. Clearview AI, Inc., S.D. Cal., No. 3:20-cv-00370-BAS-MSB, filed February 27, 2020 – Plaintiffs seek a CCPA subclass on the basis that biometric information was improperly collected without adequate notice under the CCPA. Plaintiffs allege that the notice violation qualifies as a basis for a UCL “unlawful practice” claim.
• Sheth v. Ring LLC, C.D. Cal., No. 2:20-cv-01538, filed on February 14, 2020 – Plaintiff alleges violations of the CCPA notice and opt-out requirements based on unauthorized disclosures of personal information to third parties. Plaintiff seeks to expand the application of the private right of action beyond security breaches.

While the courts may ultimately decide that private enforcement does not extend beyond security breaches or that a CCPA violation cannot be transformed into a UCL violation to avoid the CCPA bar on private enforcement, litigation testing the limits of the CCPA is likely to continue for the foreseeable future.

The CCPA’s Growing Importance in the National Privacy Landscape

As privacy legislation in state legislatures and the federal government has stalled, the CCPA has taken on an increasingly central role in privacy compliance in the United States.  Recently, the Washington state legislature was unable to pass SB 6281, the Washington Privacy Act.  Washington lawmakers were unable to resolve a conflict over giving consumers a private right of action or limiting enforcement power to the state attorney general and were thus unable to pass comprehensive data privacy legislation.  This news comes at the heels of reports that bipartisan negotiations on a federal privacy bill have hit another impasse this month, also on issues of enforcement power as well as preemption.

As lawmakers are experiencing across the nation, it is very difficult to implement comprehensive data privacy legislation that affords consumers broad rights with meaningful enforcement mechanisms.  In this regard, the CCPA is significant not just for its early adoption, but for complementing Attorney General enforcement actions with an express private right of action for individual consumers.

As described above, we are only beginning to see how plaintiffs might pursue damages under the CCPA, and we will soon start seeing how the Attorney General will approach the enforcement of the CCPA.  Many businesses will find themselves subject to new claims and investigations, and our clients must be prepared to minimize and mitigate liability risks moving forward.

COVID-19 May Delay Efforts to Pass the CCPA 2.0 Ballot Initiative 

While CCPA implementation and enforcement are still in flux, privacy activists are attempting to put an even more stringent privacy initiative on California’s ballot for the fall.  While the group has been gathering signatures, the COVID-19 lockdown measures may prevent the group from reaching the number of signatures required to make it on the November 2020 ballot.  As of February 13, the CCPA 2.0 measure reported 25% of the 623,212 signatures necessary, but with an April 21 deadline in place for counties to place the measure on their ballots, the initiative’s fate is far from certain.

How We Can Help Your Company

Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business.  RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs.  For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.

Disclaimer

The materials provided at this site are offered for informational and educational purposes only, and are not offered as and do not constitute legal advice or legal opinions.  The transmission or receipt of information through this website, or communication with Rogers Joseph O’Donnell via email through this website, does not constitute or create an attorney-client relationship between us and any recipient.