The California Consumer Privacy Act (CCPA) requires certain companies doing business in California to implement new consumer privacy rights and provide new privacy policies to consumers. Despite industry efforts to postpone the CCPA enforcement deadline in light of the coronavirus (COVID-19) pandemic, the deadline was not changed. Therefore, the California attorney general’s right to enforce the law began July 1, 2020, and the CCPA regulations became final and effective on August 14, 2020.
CCPA Final Regulations and COVID-19 Delays
The CCPA gives California consumers certain rights regarding their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them, the right to know what businesses do with that information, and the right to opt-out of the sale of certain personal information if a business sells it. On the other side, qualifying businesses that do business in California need to apply certain policies, practices, and methods that allow consumers to use those rights.
Due to the uncertain scope of business obligations and additional complications caused by the COVID-19 pandemic, businesses required the Attorney General to delay the CCPA enforcement. While the Attorney General did not agree to do this, he did state that his office may exercise prosecutorial discretion if warranted. As a result, compliance requirements for certain provisions of the CCPA were delayed, at least in part.
On September 1, 2020, the California legislature passed AB 1281, which extends the Business-to-Business (B2B) and employee exemptions until January 1st, 2022. Initially planned for January 1st, 2021, the one-year hold on the CCPA’s applicability to an employee and B2B information was introduced to allow the review of the CCPA and ensure it was operating as intended and designed. Now, on account of COVID-19 and other initiatives, the legislature voted to extend these exemptions for one more year.
However, businesses need to comply with the CCPA’s Notice at Collection requirement and are still subject to the CCPA’s data breach provision. This gives consumers the statutory right to bring legal actions if businesses are unable to cure the alleged breach, but at least some of the burden of compliance is delayed for another year.Use the appropriate technology to ensure CCPA compliance and position your company ahead of the evolving privacy legislation.
Constant Changes of California Privacy Law
Now that the CCPA enforcement is final, affected businesses need to finalize their CCPA compliance programs in case they have not already done so. However, it is important to note that the act is still undergoing changes. In addition to AB 1281, there is a pending ballot initiative, the California Privacy Rights Act of 2020.
The CPRA is an initiative imposing greater privacy restrictions on businesses holding consumer data, planned as part of California’s November 2020 ballot. The CPRA strengthens the CCPA by creating new privacy rights, obligations, and enforcement mechanisms, mandating the following:
- Businesses have to limit the use and disclosure of an expanded list of sensitive personal information,
- Businesses need to give consumer notice that the consumer’s information may be sold and that the consumer has a right to opt-out of such sale,
- Businesses may need to defend against private consumer litigation as the CPRA explicitly grants consumers a right to bring a private civil action for certain CPRA breaches, and
- Businesses will be subject to enforcement actions from a newly created California Privacy Protection Agency.
Apart from extending the CCPA exemptions for business-to-business (B2B) and employee personal information, AB 1281 also has a provision that it will only take effect if the CPRA is not approved by the California voters in November. The CPRA and the creation of the California Privacy Protection Agency would undoubtedly expand privacy regulations and enforcement actions. If passed, the CPRA would not go into effect until January 1, 2023. However, businesses need to keep a close watch on developments in order to have as much time as possible to prepare if this measure is approved.
Another bill that requires parental consent for children under 13 to create social media accounts was vetoed. Assembly Bill 1138 would have applied to sites and applications like Snapchat, Instagram, TikTok, Facebook, Twitter, etc. However, the federal Children’s Online Privacy Protection Act (COPPA) already requires website or online services operators to obtain verifiable parental or guardian consent prior to the collection of personal information from children under 13. Consequently, California Governor Gavin Newsom vetoed this bill given its overlap with federal law.
CCPA Enforcement amid the Pandemic
CCPA compliance is challenging because the regulations are far-reaching and have only recently been finalized, but it is critical that companies take reasonable, practical steps to respond to CCPA enforcement, achieve CCPA compliance and mitigate potential risks. This is even harder than before, as organizations are now being tasked with CCPA compliance in an unexpected remote work environment, with more personal data available online. However, even in the remote work environment, companies have to ensure that they are informing customers about what data they are collecting, the right to say no and opt-out of data collection, the right to request deletion of their information, and more.
Implementing necessary guidelines and attempting to avoid significant penalties due to CCPA enforcement, can be very complex. However, companies have to comply not only with the CCPA but also with other privacy laws that will follow. This is why it is necessary to create a privacy framework that includes flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that are subject to CCPA as well as other privacy legislation. Furthermore, companies can benefit from the use of technology to create the right approach and address CCPA compliance. The use of automation in preparing for CCPA enforcement can offer significant cost savings given the reduction in manual analysis and implementation efforts that are required as the privacy landscape evolves.