CCPA Now Enforceable by California AG; New Regulations Require Attention

July 1 has arrived, which means that the California Attorney General (AG) may now enforce the state’s recently-enacted privacy statute, the California Consumer Privacy Act (CCPA).  Because of the breadth of the law, and the multiple evolutions of its requirements, this is a good time to check in on your compliance – even if you did some footwork at the end of 2019 in anticipation of the new law – to ensure that you are up to date with all the new elements of the CCPA. 

Timeline of the CCPA

For companies subject to the law, a quick refresher on status:

• The law itself took effect on 1/1/2020.
• As the pandemic started, a coalition of 60+ companies asked the AG to delay its 7/1/2020 planned enforcement date; the AG refused.
• The AG’s office has, since fall 2019, been working on implementing regulations to accompany the law.
• In late June, the AG finalized its implementing regulations and submitted them for publication.  They will take effect when published, likely this summer. 

Different Enforcement Mechanisms for Consumers and AG

What does this confusing timeline mean?  Consumers, who have a direct right of action under the CCPA, can sue a company for privacy breaches happening after 1/1/2020.  As of 7/1/2020, the AG is also empowered to enforce the statute, and can investigate and fine companies that do not comply (not just companies that have suffered a data breach).  He will also be able to enforce the implementing regulations, which detail some of the CCPA’s notice and other requirements, as soon as they are made official via publication. 

The bottom line is that companies covered by the law should be compliant already with the statute itself; and they should review their compliance plan to be certain that it comports with the soon-to-take-effect implementing regulations.   

Changes and Clarifications in the Implementing Regulations

The forthcoming regulations require study and possibly additional compliance efforts, although they do relax requirements for certain matters.  Notable changes or areas of clarification in the implementing regulations include the following:

• They give a detailed framework about how the consumer access/deletion request process should work, including timelines to resolve such requests, verifying the identity of the requestor, and more. Companies that hold a lot of consumer information should review these very carefully and ensure that their workflow can support the detailed requirements. 
• They detail that required notices must be “reasonably accessible” to consumers with disabilities, a requirement that can be enforced under the federal laws covering disability protections and which can open a non-compliant company to monetary damages under California law.
• They provide additional detail on the requirements of privacy and other notices to consumers. 
• They detail what is required of a “service provider” company and create some relief for them.
• They clarify that a company that neither collects information directly from consumers nor sells consumer information does not have to provide a consumer privacy notice “at or before” collection.