The Covid-19 pandemic brought much of the world to a standstill, but one thing it has not impacted is the enforcement date for the California Consumer Privacy Act (CCPA). The CCPA, which went into effect on January 1 of this year, grants California residents new privacy rights for their personal information and is considered the most robust state privacy law in the U.S. Enforcement of this landmark privacy law begins on July 1, 2020, but Covid-19 has increased concerns over whether companies have the time and resources necessary to be ready by then.
Despite dozens of requests for a delay due to Covid-19 pandemic, the California Attorney General Xavier Becerra declined to extend the July 1 deadline, stating that privacy concerns have increased during this time. In this post, we’ll take a closer look at these extension requests, recent CCPA lawsuits, and steps your business can take to prepare for life after July 1.
CCPA Compliance in a Covid-19 World
When the CCPA went into effect in January 2020, companies were given a grace period of six months to come into compliance before the law was enforced by the California Attorney General. The Covid-19 pandemic came at an inopportune time for those trying to finalize their compliance efforts between January and July. With most companies transitioning to fully remote workforces due to social distancing guidelines, employees responsible for creating processes to comply with the CCPA are facing significant implementation challenges.
The unexpected and sudden increase in remote workers, the dependence on virtual conferencing platforms, and the increase of personal health information being collected has added extra security, privacy, and compliance considerations. Efforts to stay current on the CCPA’s potential compliance obligations have been redirected to keeping corporate networks running remotely. And many companies are concerned with their ability to manage CCPA consumer requests (like the 12-month look-back requirement) with such limited resources and personnel. In addition, certain tasks must be performed on-site, which is a safety challenge for many businesses.
CCPA Enforcement Extension Requests
Since the onset of Covid-19, various groups, associations, and businesses have urged California’s Attorney General to invoke a temporary deferral in enforcement. On March 17, a coalition of 35 organizations representing industries in technology, advertising, retail, telecommunications, real estate, and insurance wrote a letter to the Attorney General advocating for the CCPA enforcement deadline to be postponed to January 2, 2021. Three days later, the coalition sent a revised letter restating their concerns (this time its numbers had increased to 60 groups, including UPS and Feld Entertainment). In the letter, the coalition stressed the need for more time to focus on essential business operations and to better address the health and economic concerns caused by Covid-19.
California Attorney General's Response to CCPA Enforcement
Despite the concerns expressed by various businesses over the disruptions caused by Covid-19, California Attorney General Becerra has rejected all ideas for extending the CCPA’s enforcement date. The Attorney General highlights that as more people are following stay-at-home orders and using virtual avenues to stay connected, privacy rights are now more important than ever. And even though the Attorney General’s office is mindful of the changes brought on by Covid-19, it is fully committed to enforcing the law come July 1.
California Attorney General Press Release
On April 10, the Attorney General issued a press release reminding consumers of their data privacy rights during the Covid-19 health emergency and how to stay secure online. A few rights for consumers the Attorney General listed include:
- All websites subject to the CCPA should have a “Do Not Sell My Information” link that provides the option to opt out of the sale of their personal information.
- Requests can be made to businesses to delete the personal data that has been collected from the consumer.
- Requests can be made twice during a 12-month period for businesses to disclose what personal information they collect, use, share, or sell.
The release also includes tips for protecting virtual meetings, home networks, and children online, and advice for avoiding email scams. This press release reflects the importance the Attorney General has placed on ensuring data protection hygiene is not overlooked by consumers or businesses during the health crisis.
Recent CCPA Class Action Lawsuits
Although enforcement by the California Attorney General is not set to start until July 1, a few companies are already facing class action lawsuits claiming CCPA violations. Just two weeks after the CCPA took effect in January, Hanna Andersson and Salesforce suffered a data breach that compromised the names, addresses, and credit card information of over 10,000 California residents, which were then sold on the dark web. Hanna Andersson, a children’s retailer, uses Salesforce for its website’s cloud e-commerce payments. A few weeks later, the two companies became the first data breach class action lawsuit filed with alleged violations of the CCPA. The lawsuit claims Hanna Andersson and Salesforce failed to protect consumer data, provide adequate security measures, safeguard their systems from attackers, and delayed its announcement of the breach.
Following the increased use of video chat and conferencing apps to stay connected, both Zoom (a free video conferencing platform) and Houseparty (a popular app for video conferencing and games) have class action complaints filed against them as well. Zoom and Houseparty are not connected and each faces its own lawsuit, but these cases are almost identical in cause. Both companies failed to obtain consent from customers for the disclosure of their personal information to third parties like Facebook. The complaints also allege common law negligence, invasion of privacy, and breach of the Terms of Service on the company’s website.
If these organizations are found to be at fault as a result of these lawsuits, they could face penalties of up to $7,500 per violation.
Preparing for CCPA Enforcement
Despite pleas for an extension, July 1 is upon us and companies must be prepared for what comes next. Although Covid-19 can present compliance challenges, there are still a few steps you can take to prepare for enforcement.
- Make CCPA compliance a priority: Due to Covid-19, your business has probably faced some operational and economic hardships. However, it is important to still continue to dedicate resources to compliance efforts. Penalties and fines after July 1 for noncompliance will only compound these challenges. Continue to prioritize consumer-facing processes and notices and build out your compliance program to align with the CCPA.
- Assess operational changes made during Covid-19 to align with the CCPA: In the wake of stay-at-home orders and social distancing practices, companies rushed to transition to fully remote workforces, bringing new risks for noncompliance. Evaluate and ensure that your newly implemented systems align with your compliance program and that you understand how your company is collecting, processing, storing data after Covid-19 business changes. Assess any new third-party vendors to ensure their security policies satisfy your privacy requirements in the event of a breach, as well.
- Prioritize consumer request responses: Even during these challenging times, businesses cannot disregard consumer requests and will still need to respond in a responsive and timely manner. Become familiar with response requirements – some of which will be helpful during this time. For example, companies have 45 days to respond to consumer requests to delete their personal information and have an additional 45 days if appropriate notice is provided to the consumer.
- Ensure your privacy policies are up to date: By reviewing your existing policies, you can uncover gaps in compliance and identify operational challenges as a result of Covid-19-related changes. Be sure your privacy policies adequately provide information about data use, data subject rights, and necessary contact methods like toll-free numbers. Then, ensure the specific processes located in your privacy notices have been implemented, such as including a prominent “Do Not Sell” or “Opt Out” button on your company’s website.
- Document Covid-19 related compliance obstacles: Although the Attorney General has not made an official statement on noncompliance penalties due to Covid-19 complications, it is reasonable to believe that a direct connection would be a mitigating factor. Therefore, properly documenting any compliance effort disruptions that Covid-19 has caused could become useful in the future if facing noncompliance allegations.
While the demands of Covid-19 continue to complicate compliance efforts for companies in scope of the CCPA, the Attorney General has no intention to extend this date. Companies must continue to devote the resources to finalize compliance and stay ahead of any further developments. While the future is filled with uncertainty due to these unprecedented times, aligning with the CCPA now will keep your company free from consequences following July 1.
If you’re looking for further information on how to advance your CCPA compliance efforts, check out our free starter kit filled with helpful guides, checklists, and more.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.