June 30, 2020
Stroock Special Bulletin
By: Quyen T. Truong, Christopher R. Fredrich, Stephen J. Newman
Tomorrow, July 1, 2020, the California Attorney General’s Office (AG) will begin exercising its enforcement authority under the California Consumer Privacy Act (CCPA). Although an even stricter framework of regulation and enforcement has been approved for California’s November ballot and is likely to be adopted, businesses should confirm their CCPA enforcement readiness now, with a close eye to compliance with the AG’s recently finalized implementing rules. The CCPA, which went into effect on January 1, 2020, grants consumers extensive rights relating to access to, deletion of, and “sale” of non-public “personal information” (NPI) collected by businesses. The CCPA’s broad definitions of personal information and sale reach virtually any sharing of non-public information relating to an individual, household or device.
Enforcement readiness should include the following areas of focus:
Businesses should anticipate that AG enforcement efforts may cover business activities going back to the CCPA’s January 1, 2020, effective date. We expect the AG to press ahead with aggressive enforcement, following its rejection of requests from a coalition of California businesses to delay enforcement six months due to various compliance challenges, including those related to the COVID-19 pandemic. Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation from non-compliant businesses.
On June 1, 2020, the AG submitted a package of final proposed regulations under the CCPA to the California Office of Administrative Law (OAL) for approval. The timeframe for the OAL to review the package – normally 30 working days – has been extended 60 calendar days under Governor Newsom’s Executive Order N-40-20 related to the pandemic. However, the AG has requested that the OAL complete the review on an expedited basis. Upon approval, the regulations will be filed with the Secretary of State and become enforceable. We previously issued bulletins concerning earlier iterations of the proposed regulations, available here, here and here. The AG’s final proposed regulations are largely identical to the last version and leave certain ambiguities, including, among other things, the circumstances constituting a “sale” of NPI. Along with the final text of the proposed regulations, the package submitted to the OAL contains a Final Statement of Reasons, which summarizes all modifications from the AG’s initial proposed regulations. Businesses may refer to this Final Statement of Reasons, available here, for additional guidance in assessing their CCPA compliance programs.
As businesses brace for AG enforcement, California’s privacy law framework remains in flux. On June 24, 2020, the Secretary of State confirmed that a new privacy initiative, the California Privacy Rights Act (CPRA), has officially obtained enough signatures in support and will be on the November 2020 ballot. If approved by California voters, the CPRA will significantly expand the requirements of the CCPA (effective January 1, 2023) and create a new California Privacy Protection Agency to pursue enforcement.
Stroock’s Privacy/CCPA Team will continue to report on the latest developments. Our Team has closely monitored California’s evolving privacy framework since the introduction of the first ballot initiative preceding the CCPA. Our work ranges from building pragmatic compliance systems for small businesses to defending global industry leaders against government and private actions. Click here to learn more about Stroock’s Privacy/CCPA capabilities.
_______________________________________________
For more information:
This Stroock publication offers general information and should not be taken or used as legal advice for specific situations, which depend on the evaluation of precise factual circumstances. Please note that Stroock does not undertake to update its publications after their publication date to reflect subsequent developments. This Stroock publication may contain attorney advertising. Prior results do not guarantee a similar outcome.
June 30, 2020
Stroock Special Bulletin
By: Quyen T. Truong, Christopher R. Fredrich, Stephen J. Newman
Tomorrow, July 1, 2020, the California Attorney General’s Office (AG) will begin exercising its enforcement authority under the California Consumer Privacy Act (CCPA). Although an even stricter framework of regulation and enforcement has been approved for California’s November ballot and is likely to be adopted, businesses should confirm their CCPA enforcement readiness now, with a close eye to compliance with the AG’s recently finalized implementing rules. The CCPA, which went into effect on January 1, 2020, grants consumers extensive rights relating to access to, deletion of, and “sale” of non-public “personal information” (NPI) collected by businesses. The CCPA’s broad definitions of personal information and sale reach virtually any sharing of non-public information relating to an individual, household or device.
Enforcement readiness should include the following areas of focus:
Businesses should anticipate that AG enforcement efforts may cover business activities going back to the CCPA’s January 1, 2020, effective date. We expect the AG to press ahead with aggressive enforcement, following its rejection of requests from a coalition of California businesses to delay enforcement six months due to various compliance challenges, including those related to the COVID-19 pandemic. Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation from non-compliant businesses.
On June 1, 2020, the AG submitted a package of final proposed regulations under the CCPA to the California Office of Administrative Law (OAL) for approval. The timeframe for the OAL to review the package – normally 30 working days – has been extended 60 calendar days under Governor Newsom’s Executive Order N-40-20 related to the pandemic. However, the AG has requested that the OAL complete the review on an expedited basis. Upon approval, the regulations will be filed with the Secretary of State and become enforceable. We previously issued bulletins concerning earlier iterations of the proposed regulations, available here, here and here. The AG’s final proposed regulations are largely identical to the last version and leave certain ambiguities, including, among other things, the circumstances constituting a “sale” of NPI. Along with the final text of the proposed regulations, the package submitted to the OAL contains a Final Statement of Reasons, which summarizes all modifications from the AG’s initial proposed regulations. Businesses may refer to this Final Statement of Reasons, available here, for additional guidance in assessing their CCPA compliance programs.
As businesses brace for AG enforcement, California’s privacy law framework remains in flux. On June 24, 2020, the Secretary of State confirmed that a new privacy initiative, the California Privacy Rights Act (CPRA), has officially obtained enough signatures in support and will be on the November 2020 ballot. If approved by California voters, the CPRA will significantly expand the requirements of the CCPA (effective January 1, 2023) and create a new California Privacy Protection Agency to pursue enforcement.
Stroock’s Privacy/CCPA Team will continue to report on the latest developments. Our Team has closely monitored California’s evolving privacy framework since the introduction of the first ballot initiative preceding the CCPA. Our work ranges from building pragmatic compliance systems for small businesses to defending global industry leaders against government and private actions. Click here to learn more about Stroock’s Privacy/CCPA capabilities.
_______________________________________________
For more information:
This Stroock publication offers general information and should not be taken or used as legal advice for specific situations, which depend on the evaluation of precise factual circumstances. Please note that Stroock does not undertake to update its publications after their publication date to reflect subsequent developments. This Stroock publication may contain attorney advertising. Prior results do not guarantee a similar outcome.
