Happy New Year from the CCPA

As we ring in the New Year, privacy professionals are collectively holding their breath: January 1, 2020 marked the effective date of the California Consumer Privacy Act, also known as the CCPA. Beginning on January 1, 2020, California consumers may engage in civil litigation against businesses in certain data breach cases. In addition, California consumers may begin requesting that a business disclose the personal information that it collected, used, or sold about that consumer. Consumers may also request that a business delete such information or that the business does not further sell that information.

Even though the CCPA went into effect on January 1st, one CCPA-readiness study revealed that the majority of companies are working toward a July 1, 2020 deadline for full CCPA compliance.[1] This is when the California Attorney General (CA AG) (who has broad enforcement authority) will begin enforcing the CCPA. Fortunately, the CCPA contains a period in which businesses may cure CCPA violations before any fines are imposed. Even still, the July 1 enforcement date is not a safe harbor because the CA AG may enforce retroactively against violations that may occurr between January 1, 2020 and July 1, 2020. The strictness of the CA AG’s enforcement is speculative—but some are anticipating more enforcement actions than have been seen with the EU’s General Data Protection Regulation (GDPR).

As I posted previously in California's New Privacy Law Is Coming - Are You Ready?, the CCPA requires businesses to update their privacy disclosures; respond to consumer requests for data access, deletion, or to opt-out of data sales; ensure their loyalty programs do not discriminate against consumers; update their vendor agreements; train their staff; and implement reasonable security practices. Since that post, the CA AG published proposed regulations,[2] and the California Governor signed several amendments into law.[3] Among other things, the amendment AB-25 excluded employees and B2B contacts from aspects of the CCPA until January 1, 2021.[4]

Feel free to contact the KMK Law Cybersecurity & Privacy Team for more information on how various data privacy laws will affect your business in the New Year.

[1] CCPA Readiness: Third Wave, found here: https://iapp.org/media/pdf/resource_center/ccpa_readiness_third_wave.pdf.

[2] Text of Proposed Regulations found here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf. Updates are published by the California Attorney General here: https://oag.ca.gov/privacy/ccpa.

[3] See, e.g., Angelique Carson, The Privacy Advisor Podcast: Some industry perspective on amended CCPA, IAPP (published Sept. 27, 2019), https://iapp.org/news/a/the-privacy-advisor-podcast-some-industry-perspective-on-amended-ccpa/.

[4] See, e.g., Philip Gordon, Zoe Argento, & Kwabena Appenteng, Privacy Tracker: Employers receive last-minute reprieve from the most onerous CCPA compliance obligations, IAPP (published Sept. 17, 2019), https://iapp.org/news/a/employers-receive-last-minute-reprieve-from-the-most-onerous-ccpa-compliance-obligations/.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page