Think You Have Extra Time to Prepare for CCPA Because of COVID-19? Not So Fast.

Think You Have Extra Time to Prepare for CCPA Because of COVID-19?  Not So Fast.

Written by Doug Austin, Editor of eDiscovery Today

On June 1, California Attorney General Xavier Becerra submitted proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL), according to a news release from the Office of the Attorney General of California (OAG).  OAL has 30 working days and an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance with the Administrative Procedure Act.  However, Becerra requested OAL to conduct an expedited review and declined to delay enforcement of CCPA from the original planned date of July 1st, but indicated he would exercise “prosecutorial discretion if warranted”.

CCPA was signed into law on June 28, 2018, and went into effect on January 1 of this year. The CCPA requires covered organizations to provide California consumers with a number of privacy-related rights, including the right to: (1) know which personal information an organization collects and how it shares that information with others, (2) request that an organization provide to the consumer the specific data elements of personal information it has collected, (3) demand that an organization delete the individual’s personal information, and (4) opt out of an organization’s “sales” of personal information to third parties. It applies to any organization that has California consumers, even if they’re not located in California.

“As our lives increasingly move online, our data privacy becomes more important than ever. The California Consumer Privacy Act, which gives consumers choice and control over personal information in the marketplace, is game-changing and historic,” said Attorney General Becerra in the news release. “Our regulations provide businesses and individuals with guidance on how to protect that choice and boost transparency, while continuing to unleash innovation. Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

The proposed regulations package includes the 29 page Final Text of Regulations and the 59 page Final Statement of Reasons, which also has six appendices regarding comments submitted and responses to those comments.

As noted in this blog post by Troutman Sanders, normally, for the CCPA regulations to be effective by the originally-anticipated July 1 enforcement date, AG Becerra should have submitted the proposed regulations to the OAL, and filed the approved rules with the Secretary of State no later than May 31.  But, in responding to requests to delay enforcement, Becerra said this:

“The OAG has considered and determined that delaying the implementation of these regulations is not more effective in carrying out the purpose and intent of the CCPA. The modified rules, which include regulations on employment-related information, were released on February 10, 2020 and revised on March 11, 2020. Thus, businesses have been aware that these requirements could be imposed as part of the OAG’s regulations. Indeed, many of the regulations are restatements of a business’ obligations under the CCPA, which went into effect on January 1, 2020…To the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute…Thus, any regulation that delays implementation of the regulations is not necessary.”

So, as far as Becerra is concerned, your organization should have already been planning to be compliant with CCPA as the Final Text of Proposed Regulations is identical in substance to the Second Modified Regulations issued back on March 27.  But, it seems a lot of organizations are still not ready, just as many weren’t ready for Europe’s General Data Protection Regulation (GDPR), when it went into effect in May 2018.  It’s more important than ever for organizations to track their data, make sure their privacy policy is up to date, develop processes for consumer requests and provide appropriate training to their employees to comply with the policy.  Discovery isn’t just for litigation anymore; it’s also about having a discovery program in place to meet your data privacy compliance needs.  And, while many companies don’t have active litigation which requires a structured approach to discovery, data privacy compliance is a universal need for every company.  I’m sure the level of preparedness within your organization will factor into the “prosecutorial discretion” that Becerra mentioned in his comments should your company violate data privacy rights of California consumers.  Time is almost up!

As part of the Educational partnership between IPRO and eDiscovery Today that was announced earlier this month, I’m excited to say that I will be writing a new weekly blog post for IPRO’s blog, to supplement the excellent educational content that Jim Gill and the IPRO team regularly provide!  Just like I do on eDiscovery Today, I will write educational posts about a variety of topics related to eDiscovery, cybersecurity and data privacy. So, look for a post from me each week here!