Thursday, June 25, 2020

Are You Ready for July 1 CCPA Enforcement?

If you are a privacy geek like me, you circled July 1, 2020, on your calendar the same way you circled May 25, 2018. (Actually, I put a note in my Microsoft Outlook calendar.)

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect with significant new data privacy rights and protections for EU residents. Since 2016 I had been sending out client alerts, writing blog posts, hosting webinars, speaking, and warning of the coming enforcement date. Businesses began feeling fatigue from the endless webinars and articles on the GDPR. Yet, as we got closer to May 2018, my clients became more and more interested in what GDPR meant for their businesses. 

Unfortunately for businesses with potential GDPR compliance issues, it was difficult to implement compliance measures quickly and efficiently. What were these businesses doing for the two years leading up to May 2018? 

On June 28, 2018, just a few weeks after the GDPR took effect, the California Consumer Privacy Act (CCPA) was signed into law by Governor Brown with an effective date of January 1, 2020. 

Many businesses have already taken important steps to comply with the CCPA by updating their website privacy policies and upgrading data security systems, processes, and policies. I am also seeing a significant uptick in CCPA related calls and emails as we get closer to July 1, the date by which the California Attorney General was required to adopt regulations implementing the CCPA. 

So how real is this July 1 enforcement date? 

The California Attorney General cannot bring an enforcement action until six months after the publication of such regulations. The AG was slow to issue draft regulations and hold public hearings. The initial set of draft regulations were released for public comment and the final set of proposed regulations were filed by the AG with the California Office of Administrative Law (OAL) on June 1.

The OAL has 30 working days, plus an additional 60 calendar days under Governor Newsom’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

So will they still be enforced July 1? 

California Attorney General Becerra has requested an expedited review and according to Becerra’s office, the “CCPA has been in effect since January 1, 2020. We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”

I cannot predict how the California AG will act and who he may go after and when. But my advice regarding compliance with the GDPR, CCPA, and other data privacy laws and regulations is to start with a data inventory or audit of your privacy practices, policies, and operational processes. 

Having this basic understanding of what you do with the personal information you collect is a necessary first step to any compliance activities and is a good and important business practice. Completing such an audit will serve you well — not just for CCPA compliance, but with the many other data privacy laws and regulations likely heading your way.

And now we wait.

No comments :

Post a Comment