Is the California Attorney General Delaying or Loosening Enforcement of the CCPA due to Covid-19? (United States)

Not at this time.

In light of Covid-19, many companies are deciding whether they can (or should) put their compliance plans on hold in order to handle more pressing matters. As things currently stand, the California AG has not indicated that there will be any delay in enforcement, slated to begin on July 1, 2020. Although there is a large push from the business community to delay, an unidentified advisor from the AG’s office recently stated that their office is “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first.”

While the AG’s position could change as the Covid-19 pandemic continues to evolve, companies should assume the deadline for enforcement will remain in place and should continue moving toward full compliance (to the extent practical) with the CCPA by July 1.  Although enforcement is slated to begin in July, it is important to remember that compliance began on January 1, 2020. To the extent priorities need to be established, companies should consider the following:

1. Make sure to comply with deadlines for responding to data subject access, deletion, opt-out requests.
2. Review your publicly-facing documents (e.g., privacy notices) for compliance with the CCPA. If the final regulations have not come out by May 15, 2020, begin the process of reviewing and revising based upon the then-current draft of the regulations. At this point, and presuming that there are no further proposals, that would be the Second Modified Proposed Regulations.
3. Make sure that you have a cookie-compliance strategy, particularly if your website is utilizing third party cookies.
4. Review your security protocols and incident response plans to make sure they would be effective in preventing and responding to a data security incident. As bad actors take advantage of the pandemic-related chaos, we are seeing an increase in data breaches and security incidents. The CCPA permits California residents to recover between $100-$750 in statutory damages if certain sensitive personal information is exposed in a data breach and the company lacked reasonable and appropriate security measures.
5. Identify key vendors service providers with whom you are sharing personal information and review your existing contracts to ensure they are restricting their use of the personal data; if they do not, request that the vendor agree to a data processing addendum.