Recent events have significantly impacted virtually every organization and their workforce. Government is no exception; the current pandemic has ground regulatory activity to a seeming halt. Over the past few months, multiple agencies have announced regulatory delays, deadline extensions, and even new rules to temporarily deregulate some economic activities. Many proposed regulations, like the Federal Reserve Board’s revised control framework, were put on hold.
For a while it appeared as though the California Consumer Protection Act (CCPA) was destined for the same fate. As of the end of May Attorney General Xavier Becerra had yet to submit his proposed final CCPA regulations to the California Office of Administrative Law (OAL). Meanwhile, Governor Newsom issued an Executive Order in response to COVID-19 that, among other things, extended regulatory review by 60 calendar days. All this led many analysts and compliance officers to conclude that enforcement of CCPA regulation would slip to October 1st (per California’s quarterly schedule).
However, it now appears that de-prioritization is not an option. California has announced it is pushing ahead with its original enforcement date of July 1, 2020. On the first of June, the AG’s office submitted its final proposed regulations to OAL, alongside a request for expedited review. Citing legislative mandate, the AG asked that the regulations become effective upon OAL’s filing with the Secretary of State, and asserted that “once final regulations are adopted, the Attorney General will enforce the regulations” (emphasis added).
When will businesses have to be in compliance?
The short answer is yesterday. As the AG’s office reiterated in its OAL submission, the CCPA took effect on January 1st of this year. This means that businesses not in compliance with the law can be – and have been – named in private lawsuits. Multiple CCPA-related lawsuits against a variety of businesses are already making their way through the courts.
It is important to remember that, while this is a California law, its impact is not limited to the Sunshine State alone. CCPA applies to any business collecting personal information from California residents that meets one of the following criteria:
- Buys, receives sells or shares the personal information (PI) of at least 50,000 California residents, households or devices annually;
- Derives at least 50% of its annual revenue from selling the PI of California residents; or
- Has an annual gross revenue of $25M or more.
Though a state law, CCPA’s broad reach has already been felt across the country, with consumers nationwide suing companies headquartered across the United States in California courts. The majority of these cases were spurred by data breaches, as the law only allows consumers to seek damages for the “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information.” Despite this, some cases, such as the current lawsuit against the video communications company Zoom, focus on information collection and use. Given the limited scope of an individual’s right to sue, the potential success of such lawsuits remains murky at best.
Starting on July 1, however, the California Attorney General can – and will – begin enforcing violations of the entire law. Unlike private individuals, the AG has the right to enforce any violation of the CCPA. AG Bacerra has already stated his intention to publicly prosecute companies that make no attempt to comply, saying “I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
Moreover, there is nothing in the law preventing the state from enforcing violations that occurred prior to July 1st. As Becerra said in October of 2019 when discussing whether his office could be prevented from prosecuting violations that occurred between the law’s enactment and regulatory adoption, “If that were [the case], then you could murder someone today and if we couldn’t figure out who did it for a month, would that mean you get to go scot-free? I don’t think so.”
Though all this may appear daunting, there is one (potentially) silver lining: intent matters. While remaining firm in its conviction to enforce CCPA, the AG’s office has also stated that it will “look kindly” on businesses that “demonstrate an effort to comply.” Compliance officers should immediately take steps to fulfill the spirit – not just the letter – of CCPA, carefully documenting their progress along the way. Being able to demonstrate an intent to comply can help companies in the event of a failure.
This isn’t limited to California and the CCPA. As the Justice Department recently reiterated in its “Evaluation of Corporate Compliance Programs,” federal prosecutors investigating compliance failures will assess whether a firm’s compliance program was “applied earnestly and in good faith” when determining whether to bring charges or levy fines. Documenting the steps your program took keep with the intent of CCPA could help you avoid severe penalties in the event of a violation.
What changes are yet to come?
Back in January, we reviewed the CCPA and identified the top 5 compliance challenges the CCPA posed. Compliance officers looking for a comprehensive list of the legal and regulatory changes occurring in the interim can consult the “Update of Initial Statement of Reasons” issued by the AG’s office. Substantively, however, compliance officers may be relieved to hear that nothing changed from the second set of proposed regulations released in March. So, if your program program’s implementation practices were based on that document, you can breathe easy.
Compliance professionals shouldn’t rest too soundly, however. This November, California voters appear to set to vote on what is already being billed as “CCPA 2.0” – the California Privacy Rights Act (CPRA). If passed, this amendment to the CCPA would expand data protections considerably. Provisions include new security mandates, the creation of a new enforcement agency, and an expansive definition of “sensitive personal information” which consumers can view, edit and control. With the CPRA passage looking increasingly likely, organizations should view the start of CCPA enforcement not as an end, but a beginning.