The novel coronavirus (“COVID-19”) has resulted in the California legislature rolling out several emergency initiatives to address the impact of the outbreak. Initiatives range from introducing measures to address key employment issues to financial packages that provide funding to increase hospital capacity and protect those most vulnerable to the disease. Given the immediate impact these initiatives will have on Californians today, the focus on these types of measures is understandable. Even businesses operating in today’s environment have been forced to shift their focus to address the impact COVID-19 has had on their employees’ and customers’ health and safety.
Be this at it may, the sudden shift in focus has resulted in many businesses wondering about the status of the California Consumer Privacy Act (“CCPA”). The CCPA, which took effect on January 1, 2020, and is scheduled to be enforced by the California Attorney General (“AG”) starting July 1, 2020, was the hot topic of conversation before COVID-19. While COVID-19 has impacted governments, businesses, and even many federal and state statutes and regulations, the CCPA appears to be immune. Below is a recap of where things stand today.
- No Indication of Delay in CCPA Enforcement.In March 2020, the Association of National Advertisers, along with 30 other organizations and trade associations, requested to delay the CCPA’s July 1, 2020 enforcement date in light of the pandemic and the lack of finalized regulations (a second version of proposed regulations was published on March 11, 2020 (see article discussing it here)). The AG, however, clarified that the State will not delay the deadline, stating that the AG’s office “is committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. … [W]e are all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” Moreover, on April 10, the AG issued a press release encouraging consumers to exercise their CCPA rights, stating “[a]s the health emergency leads more people to look online to work, shop, connect with family and friends, and be entertained, it is more important than ever for consumers to know their rights under the California Consumer Privacy Act (CCPA).”
Without any further guidance from the AG, businesses should expect CCPA enforcement to begin in July. There have been suggestions from the AG that early enforcement actions will focus on businesses collecting sensitive information, such as health information and Social Security numbers, and children’s personal information. For businesses collecting health information (e.g., employee temperatures) as part of their COVID-19 reopening procedures, CCPA compliance should be at the forefront of their planning.
- CCPA Regulations Likely Not Effective Before October 1. It is now June and the AG’s office has not released the final CCPA draft regulations. The originally announced timeframe was Spring 2020. As a result of this delay, the draft regulations will not take effect on July 1, as originally thought. Before the draft regulations can take effect, they must be submitted to California’s Office of Administrative Law (OAL) for review and approval. The OAL typically has 30 days to review and approve proposed regulations; however, California Governor Gavin Newsom released an executive order allowing the OAL to have an additional 60 days due to the COVID-19 pandemic. Regulations typically become effective only on one of four quarterly dates based on when the final regulations are approved by the OAL and then filed with the Secretary of State: January 1 (if filed between September 1 and November 30), April 1 (if filed between December 1 and February 29), July 1 (if filed between March 1 and May 31), and October 1 (if filed between June 1 and August 31). Therefore, for the draft regulations to be effective by July 1, they had to have been filed with the OAL, approved by the OAL, and submitted to the Secretary of State by May 31. Accordingly, the effective date of the CCPA regulations is likely after at least October 1.
Despite the CCPA regulations not being finalized, there is no indication that the AG will delay enforcing the CCPA on July 1 and using its draft regulations as a guide. Although the AG cannot take the position that a violation of a proposed regulation is a basis for an enforcement action, also known as an “underground regulation,” it would not be surprising to see the AG argue a violation of the CCPA and seek remedial measures based on its interpretation as stated in the draft regulations. For more on the status of the CCPA regulations, see Troutman Sanders’ article, available here.
- CCPA Compliance Efforts Should Continue Despite Operational Impact of COVID-19. Even with COVID-19, businesses should still move forward with CCPA compliance efforts. For businesses that have not started, it is not too late. Data mapping, updating vendor contracts, and creating methods for consumers to submit CCPA requests, for example, are among the tasks that can be accomplished even with a remote workforce. This is especially true given that the CCPA has been in effect since January 1, 2020, and, as noted above, the AG’s office is committed to enforcing it starting July 1. As a result, a complete disregard for the law, even amid COVID-19, will not likely be viewed with kindness.
- Businesses Should Consider Requesting Extensions to Respond to CCPA Requests, If Needed. The latest CCPA draft regulations require stringent response times to CCPA requests. For example, the draft regulations currently provide that businesses must comply with an opt-out request for the sale of personal information within 15 business days of receipt. For requests to know and requests to delete, businesses must confirm receipt of the request within 10 business days and substantively respond to the request within 45 calendar days. However, a business may extend this response by another 45 calendar days if “reasonably necessary.” While the CCPA does not define “reasonably necessary,” issues related to COVID-19 such as staffing shortages, may fall into this category. As a result, it may be prudent for businesses to request this extension ahead of time if they are operating with limited resources as a result of COVID-19.
- Businesses Should Review Whether CCPA Notices Need to be Revised. To address the impact of the outbreak, businesses may have started collecting new types of personal information. For example, as shelter-in-place restrictions ease, many businesses are collecting health-related information (e.g., temperatures, COVID-19 symptoms, etc.), from both employees and customers, as part of their reopening procedures. Where this may be the case, businesses should review what updates need to be made to their employee and consumer-facing privacy notices. For more on collecting employee personal information during COVID-19, see Troutman Sanders’ article, available here.
- Review Methods to Accept CCPA Consumer Requests. Businesses would be wise to review the methods they set up to accept CCPA consumer request pre-COVID-19. Indeed, since many organizations have experienced a loss of resources and staff, it would not be surprising to hear that certain methods are no longer operable. For example, if a business previously set up a dedicated telephone line to field CCPA requests, the business should confirm whether the line continues to be adequately monitored given that most employees have shifted to work-from-home. Likewise, if in-person methods were previously offered and the business is currently closed for business, the method should be reviewed and updated.
At this point, efficient, user-friendly remote options (e.g., e-mail and/or web forms) are likely the way to move forward. Shifting to these methods may also be better aligned with the CCPA, which intends for businesses to consider the methods by which they primarily interact with consumers when determining methods for submitting requests. In today’s new virtual world, electronic methods to submit requests will likely be preferred.
- Consider Accessibility Requirements for Online Disclosures. With increased online traffic, businesses should also take extra care to comply with the CCPA provision regarding accessibility. Per the CCPA, online notices and policies must be reasonably accessible to consumers with disabilities. To do this, the latest draft regulations suggest that businesses comply with the Web Content Accessibility Guidelines (WCAG) version 2.1. These guidelines require websites include accessibility-focused features like contrasting colors, modifiable text sizes, descriptive headers and captions, and optional, variable display orientations.
- Review Security Procedures and Practices. Finally, to avoid the CCPA’s statutory damages available to consumers in the event of a data breach, businesses should maintain reasonable security procedures and practices to protect personal information. The CCPA provides a limited private right of action to consumers where certain information is compromised because a business failed to maintain reasonable security. With the shift to increasingly remote ways to go about daily life and hackers looking to capitalize on fragmented operations and inherent employee vulnerabilities, the possibility of a data breach has drastically increased.
Although the CCPA leaves “reasonable security” undefined, in 2016 the California Attorney General stated that the Center for Information Security Top 20 Critical Security Controls (“CIS Controls”) represents “the minimum level of information security that all organizations that collect or maintain personal information should meet.” The Data Breach Report further provides that “[t]he failure to implement all the [CIS] Controls that apply to an organization’s environment constitutes a lack of reasonable security.” In other words, the CIS Controls represent a baseline for “reasonable security procedures and practices,” as required by the CCPA.
However, as businesses have been forced to shift abruptly to a work-at-home environment, the question arises as to whether the standard for “reasonable security” changes. Even though many organizations likely did not prepare for a global pandemic, the regulatory and agency guidance issued thus far seems to lead us to the same conclusion: COVID-19 warrants a shift in cybersecurity practice. For further discussion on heightened security practices during COVID-19, see Troutman Sanders’ articles here and here.