Unique challenges confront those businesses impacted by COVID-19 that are also in the process of implementing operational changes to comply with the California Consumer Privacy Act (CCPA). The California Attorney General begins enforcement on July 1, 2020, and recently declined to extend that date due to COVID-19. We take a look at those challenges here and propose some best practices to avoid legal liability under the CCPA.
COVID-19 Distracts Companies From CCPA Compliance Efforts
COVID-19 could not have come at a worse time for companies trying to comply with the CCPA. Employees who would be responsible for CCPA-related projects are working remotely, making implementation tasks more difficult, and are focusing their limited resources on priorities more essential to the continuation of the business. These circumstances will delay many companies' efforts to develop and then implement necessary measures by July 1, 2020, the day when the California Attorney General will begin enforcing the Act.
A coalition of over 60 companies mostly from the ad-tech industry wrote a letter to the AG's office calling for enforcement to be delayed. The AG's office rejected the calls for delay and stated that they were "committed to enforcing the law upon finalizing the rules or July 1, whichever comes first." This leaves little room for interpretation: come July 1, the AG will begin its enforcement of the CCPA. Clearly, this is not the news that companies were hoping to receive.
Despite the fact that the Act went into effect on January 1, 2020, many companies have been monitoring the evolution of the AG's regulations and waiting for the final regulations to be released. In the last couple of months, the AG released three sets of draft regulations. The latest draft was published on March 11 and the comment period expired on March 27. After this period, we expect that the AG will have its final regulations in the coming weeks. This uncertainty creates dilemmas, e.g., companies will have to roll out changes and then modify them again later or those companies that have been waiting for final word are now rushed. Notwithstanding the above, the CCPA empowers the AG to assess compliance as of the January 1, 2020 effective date.
Companies Are Advised To Make The Effort And Document COVID-19 Related Obstacles
Clients are well-advised to adopt certain best practices to minimize the risk of violating the CCPA. First, companies must continue their compliance efforts, regardless of the status of the AG regulations. In our experience dealing with data privacy laws around the world, we have seen that companies that can show a good faith reasonable attempt to comply are well-situated to respond to questions or claims. With that in mind, following the guidance of the latest version of the AG regulations would not likely be criticized. Those good faith efforts would include: 1) data mapping to understand what data you collect and where you keep it; 2) draft a CCPA compliant privacy policy; and 3) implement measures that allow your business to respond to verifiable consumer requests.
Clients are also advised to document any difficulties and disruptions that COVID-19 has caused to their businesses in general, and to their efforts to come into compliance with CCPA in particular. While we believe that it is unlikely that the AG will look the other way if businesses cite COVID-19 as a reason for failing to meet the requirements of CCPA, we would expect it to be a mitigating factor so long as the company can show a reasonably direct causal connection.
With millions of employees work from home, some for the first time, it is more crucial than ever that businesses take every commercially reasonable effort to implement security measures to protect their businesses, including the consumer and employee information they maintain. Cyber-attacks are already on the rise as criminals try to take advantage of this crisis.
Conclusion
To be sure, COVID-19 has introduced further complexity into CCPA compliance at a time when there remains a fair amount of uncertainty about what enforcement will look like come July 1, 2020. Businesses should continue to work closely with counsel to become compliant and stay ahead of further developments during this unusual time.
|