The Effective Date of the California Consumer Privacy Act of 2018 Has Come and Gone: What To Do Now?

The CCPA became effective January 1, 2020. Some businesses prepared to meet the deadline, while others have become partially compliant but still have more to do. Some may not have begun. What should a business be doing at this point?

1. Note the Important Dates.
   The CCPA, enacted June 28, 2018, was amended several times prior to its effective date of January 1, 2020, and will be enforceable by the Attorney General on July 1, 2020. Concerning the delayed enforcement date, keep in mind two points: First, as of January 1, 2020, consumers have a private right of action (with statutory damages) for violations of the CCPA requirement to provide reasonable security that result in an unauthorized disclosure of personal information. Second, the Attorney General presumably could bring actions starting July 1, 2020 for failures to comply dating back to January 1, 2020. Therefore, if a business was not in full compliance as of January 1, 2020, time is of the essence in order to mitigate the risks of enforcement and private litigation.
   
   
2. Assess (or Reassess) Scope and Applicability.
   As we discussed here, businesses must begin by assessing the applicability of the CCPA to the business. Is the business “doing business” in California? Does it collect personal information from California residents? Does the business meet one of the thresholds based on annual revenue and data collection? Do CCPA exemptions (such as the GLBA, HIPAA, FCRA and other exemptions) apply? If one of the exemptions applies, does the business also collect personal information not covered by an exemption?
   
   The temporary, limited exemption for personnel (such as employees, job applicants, officer, directors and owners) enacted by AB-25 solved significant challenges for many businesses, as further discussed here. Note, however, that this exemption for the personal information of personnel is temporary, with a scheduled sunset of January 1, 2021, and also partial, given that the business must provide a notice at collection to its personnel, who also continue to have a private right of action under the CCPA.
   
   Similarly, the exemption for business to business (or B2B) contacts provided by AB-1355 is scheduled to sunset on January 1, 2021 and is limited in that B2B contacts retain the CCPA’s “do not sell” right and private right of action.
   
   
3. Analyze Collection and Use of Personal Information.
   After determining the CCPA applies, the business must: analyze its collection and use of personal information, and, as suggested here, create a project plan to map the collection, use and sharing of personal information; draft internal policies and procedures for CCPA compliance; prepare the required notice at collection and privacy policy; and review relevant vendor contracts. It is also advisable to prepare forms and mechanisms for consumers to submit requests to exercise their rights under the CCPA, and create procedures and forms for responding to these requests.
   
   The notice at collection and privacy policy are the two central documents required by the CCPA. The content and other requirements for these documents were clarified by the draft regulations issued by the Attorney General. As the draft CCPA regulations make clear, they are two separate documents presenting different disclosures. A common question is whether the requirements for the CCPA privacy policy can be addressed through the business’s existing online privacy policy. Note, however, that the particular disclosure requirements and consumer rights of the CCPA are unique in the U.S., and most companies will not elect to extend the CCPA rights to all individuals. Therefore, the common and safest approach is to prepare separate CCPA disclosures through a CCPA Privacy Policy and a CCPA Notice at Collection.
   
   
4. Track Statutory Amendments and Regulatory Developments.
   Another important task for pursuing CCPA compliance is the tracking of amendments to the statute itself and developments in the proposed regulations. Whether a business was prepared for the January 1 effective date, or whether it is getting a late start, the statutory amendments made to the CCPA between June 2018 and October 2019, including those discussed above, have been significant and largely helpful. It is important to follow the proposed statutory amendments that are currently pending in the legislature.
   
   There is, however, a new initiative by the activists who propelled the CCPA that would effectively replace the CCPA with a new California privacy law (proposed as the California Privacy Rights Act of 2020). This new proposal would be more onerous for businesses, and more punitive in enforcement, than the CCPA. All businesses should track its progress.
   
   In addition, the regulations to be promulgated by the Attorney General will be highly important to every business’s CCPA compliance effort. The draft regulations, which were recently amended on February 10, 2020, answer a lot of questions and provide clarity. For example, the draft regulations address the verification process necessary to properly identify the subjects of consumer requests, the ability of consumers to use agents, and the presentation of CCPA disclosures themselves. The current form of the draft regulations is ­available here.
   
   As for developments in other jurisdictions, several states are considering legislation inspired by or identical to the CCPA, and nearly 20 have recently adopted or are considering some form of privacy legislation. CCPA compliance efforts will need to track and account for these developments as well.