The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. This law was implemented to protect the use, sharing and selling of consumers’ personal information, and included a variety of complex requirements for companies that do business in the State of California. The California Attorney General had been tasked with providing guidance on compliance with the CCPA. Finally, on June 1^st, the final proposed regulations under the CCPA were submitted to the California Office of Administrative Law (OAL) to become law.

While these regulations will not become law for at least 90 days or more (due to timeframes for approval being extended due to the COVID-19 pandemic), the CCPA expressly authorizes the Attorney General to start enforcement actions on July 1, 2020. As we have previously indicated, while the Attorney General claims it will only initially pursue egregious and flagrant enforcement cases, this is more than likely to expand to include actions for non-compliance. It is critical to remain mindful that the private right of action regarding data breaches under the CCPA remains in place.

What Do Businesses Need to Do Now?

Now is the time to take action and implement a compliance strategy for the CCPA as soon as possible. While 30 days is certainly not a lot of time to become compliant, it only stresses the need to move quickly and make basic measures towards compliance, such as adapting privacy policies for compliance, preparing necessary disclosure statements, and mapping where data is stored and how it is shared – in both electronic and hard copy formats. There will be additional time to update and supplement compliance efforts with the Attorney General’s guidelines and those can become incorporated during the compliance process. Despite many businesses working remotely at this time due to COVID-19, privacy professionals must still be engaged to create a CCPA compliance plan and work with IT professionals to ensure CCPA compliance under these circumstances.

Why Does This Matter For Businesses

• If you do not have a plan to address CCPA requirements, now is the time to do so.
• Class-action lawsuits have already commenced under the CCPA, and are likely to continue to increase significantly over time and as a result of the current remote working conditions created by the COVID-19 pandemic.
• Regardless of your current work environment, provide periodic on site or virtual training to ensure all employees understand the basic requirements of the CCPA and remain vigilant when it comes to cyber security, privacy and the protection of personal information.
• If you are considering securing a cyber liability insurance policy to address these requirements, have the form policy as well as applicable endorsements reviewed by an experienced cyber insurance coverage attorney prior to binding coverage to confirm that you will actually have the coverage you want to secure and properly address CCPA requirements.

Our Data Privacy & Security Task Force attorneys are available for consultation by emailing NDCovid19Response@ndlf.com or contacting our office at 949-854-7000.