Although many businesses are finding themselves in new and challenging times due to the impacts of COVID-19 and the related shelter-in-place orders, it is important to keep in mind that compliance with applicable privacy laws is still required. Attorney general enforcement of California’s newest privacy law is on the horizon and set to begin July 1, 2020. In this article, we provide insight on what is required of businesses subject to the CCPA, what trends we have seen in CCPA-related litigation thus far, and the impending enforcement of the CCPA by the California attorney general. 

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and granting several new rights to consumers, and imposing corresponding obligations on businesses subject to the law (to see if your business may be subject to the CCPA check out this diagnostic tool).

Consumer Rights

Consumers have the right to know certain information about a company’s data practices, including the right to know the categories of personal information collected, the sources from which personal information is collected, the business or commercial purpose of such collection, and the categories of third parties with whom personal information is shared. Additionally, consumers have a right to know whether, and to whom, their personal information was sold or disclosed for a business purpose. Consumers also have the right to access the specific pieces of personal information that a company has collected about them over the prior 12 months, and to request that a company delete their personal information. Consumers also have the right to be free from discrimination for exercising any of their rights under the CCPA. These rights are subject to certain exceptions.

Business Obligations

In addition to making certain privacy policy revisions to comply with the CCPA’s disclosure requirements (and updating said privacy policies annually, as is required under the CCPA), businesses will also need to consider implementing processes and procedures to authenticate and respond to verifiable consumer requests to exercise the above-described rights. In general, businesses must offer at least two methods through which consumers can make requests to exercise their rights, including at a minimum, a toll-free phone number, and, if the business maintains a website, a web address. Employees responsible for handling consumer inquiries related to the company’s privacy practices must also receive training, so they are familiar with the consumer rights available under the CCPA. The CCPA also sets forth certain provisions that businesses should include in their contracts with service providers.

Attorney General Guidance

In addition to the text of the statute itself, businesses will also have to be prepared to comply with regulations issued by the attorney general, which are currently still in draft form. The most recent draft of these regulations was released on March 11, 2020, and it contains important clarifications on some aspects of the CCPA and would also impose additional requirements that businesses would be required to address. For example, the Proposed Regulations specify that upon receiving a request to know or a request to delete, the business must confirm receipt of the request within 10 business days and provide information about how the business will process the request. The Proposed Regulations also specify that a business must establish, document, and comply with a reasonable method for verifying consumer requests. Businesses should also begin considering how they plan on complying with the record-keeping requirements that the Proposed Regulations would impose, which would require business to maintain records of consumer requests made and how the business responded to said requests for at least 24 months. The regulations also specify that a violation of the regulations constitutes a violation of the CCPA and is subject to the same remedies.

Attorney General Enforcement

In addition to drafting CCPA regulations, the attorney general is also given broad enforcement authority under the CCPA, and may initiate civil actions against businesses that fail to cure violations under the CCPA, with penalties reaching $2,500 per violation or up to $7,500 per intentional violation. The attorney general can begin enforcing the statute on July 1, 2020, and has confirmed his plan to do so, despite receiving letters from businesses and industry groups calling for delayed enforcement due to businesses needing to focus their attention and efforts on addressing the COVID-19 pandemic.

Private Claims Under the CCPA

The CCPA also contains a limited private right of action for uncured breaches of unencrypted data that are reportable under California’s breach notification law. If such breaches occur as a result of a company’s failure to implement reasonable security standards, individuals may each seek to recover the greater of actual damages or statutory damages up to $750 per violation (and such damages may be sought in a class action). However, in practice, we are seeing a much larger array of claims being brought that cite to the CCPA. To date, over a dozen cases have been filed that allege violations of the CCPA, ranging from those brought by pro se litigants to class action lawsuits, and we expect to see this trend of CCPA-related litigation continue to grow. Read here to learn more about CCPA litigation.

Questions/Concerns

Data Security & Privacy practice attorneys, Jim Snell and Marina Gatto, have deep experience helping clients understand and comply with the CCPA as well as a range of other privacy laws and are happy to answer any questions you may have.