As we ring in the New Year, privacy professionals are collectively holding their breath: January 1, 2020 marked the effective date of the California Consumer Privacy Act, also known as the CCPA. Beginning on January 1, 2020, California consumers may engage in civil litigation against businesses in certain data breach cases. In addition, California consumers may begin requesting that a business disclose the personal information that it collected, used, or sold about that consumer. Consumers may also request that a business delete such information or that the business does not further sell that information.
Even though the CCPA went into effect on January 1st, one CCPA-readiness study revealed that the majority of companies are working toward a July 1, 2020 deadline for full CCPA compliance. This is when the California Attorney General (CA AG) (who has broad enforcement authority) will begin enforcing the CCPA. Fortunately, the CCPA contains a period in which businesses may cure CCPA violations before any fines are imposed. Even still, the July 1 enforcement date is not a safe harbor because the CA AG may enforce retroactively against violations that may occurr between January 1, 2020 and July 1, 2020. The strictness of the CA AG’s enforcement is speculative—but some are anticipating more enforcement actions than have been seen with the EU’s General Data Protection Regulation (GDPR).
As I posted previously in California's New Privacy Law Is Coming - Are You Ready?, the CCPA requires businesses to update their privacy disclosures; respond to consumer requests for data access, deletion, or to opt-out of data sales; ensure their loyalty programs do not discriminate against consumers; update their vendor agreements; train their staff; and implement reasonable security practices. Since that post, the CA AG published proposed regulations, and the California Governor signed several amendments into law. Among other things, the amendment AB-25 excluded employees and B2B contacts from aspects of the CCPA until January 1, 2021.
Feel free to contact the KMK Law Cybersecurity & Privacy Team for more information on how various data privacy laws will affect your business in the New Year.
 CCPA Readiness: Third Wave, found here: https://iapp.org/media/pdf/resource_center/ccpa_readiness_third_wave.pdf.
 Text of Proposed Regulations found here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf. Updates are published by the California Attorney General here: https://oag.ca.gov/privacy/ccpa.
 See, e.g., Angelique Carson, The Privacy Advisor Podcast: Some industry perspective on amended CCPA, IAPP (published Sept. 27, 2019), https://iapp.org/news/a/the-privacy-advisor-podcast-some-industry-perspective-on-amended-ccpa/.
 See, e.g., Philip Gordon, Zoe Argento, & Kwabena Appenteng, Privacy Tracker: Employers receive last-minute reprieve from the most onerous CCPA compliance obligations, IAPP (published Sept. 17, 2019), https://iapp.org/news/a/employers-receive-last-minute-reprieve-from-the-most-onerous-ccpa-compliance-obligations/.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2020 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Privacy Laws
- General Data Protection Regulation
- Cyber Insurance
- California Consumer Privacy Act
- Data Breach
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Happy New Year from the CCPA
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: What We're Learned So Far and What to Expect
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know