Folks, enforcement of the California Consumer Protection Act (CCPA) is here.
Starting July 1, despite protestations from the business and advertising communities, the California attorney general can start investigating complaints, bringing actions, poking into privacy policies and issuing fines. Lobbying to postpone enforcement until Jan. 1, 2021, in light of the ongoing pandemic, was brushed aside by the AG.
Although consumers can only bring a private right of action in the case of a data breach – several have already been filed, including against Zoom and video chat app Houseparty – the AG is able to bring statutory actions in response to any violation of the CCPA.
In full en(force)
And the AG’s office appears more than ready to do so.
In a statement in early June after his office finally submitted the final draft of the CCPA implementation regulations for approval, California Attorney General Xavier Becerra said: “Businesses have had since Jan. 1 to comply with the law, and we are committed to enforcing it starting July 1.”
While it’s unclear what enforcement will look like, the ongoing COVID-19 situation won’t excuse noncompliance.
In April, Becerra issued an advisory reminding consumers of their data privacy rights amid the pandemic and calling out their new rights under the CCPA, including the ability to opt out of the sale of their personal information and to request that a business disclose what personal info it collects, uses, shares or sells about them. He reiterated these points in a detailed tweet thread on Tuesday.
On July 1, I will begin enforcement of the #CCPA.
As families continue to move their lives increasingly online, it is essential for Californians to know their privacy options. https://t.co/1cJGrX2jJN pic.twitter.com/w7fp0v4j5I
— Xavier Becerra (@AGBecerra) June 30, 2020
Complicating matters is that the right of disclosure includes a look-back provision covering the 12-month period that precedes the date of a verifiable access request. Businesses could technically be held accountable under CCPA for data collection that took place going back to Jan. 1, 2019, one year before the law’s effective date.
Businesses and ad tech companies hope the AG takes into consideration that preparation has been complicated by the fact that the law was a moving target until only recently. Although the AG’s implementation regs have been submitted, the California Office of Administrative Law has yet to officially approve them.
“Having open questions about CCPA this close to its enforcement date hinders implementation,” said Alice Lincoln, former VP of data policy and governance at MediaMath, currently a privacy product management lead at Facebook. “We hope that the AG will appreciate that just as the regulations have been challenging to finalize, companies working hard to interpret the law may still struggle to be in perfect compliance on July 1.”
Reading list
A lot has happened since 2018, when the CCPA was still just a California ballot initiative. Here’s a rewind in case you missed anything.
- Bombora Sues ZoomInfo For Allegedly Gaining An Unfair Advantage By Breaching CCPA
- IAB Tech Lab Intros New Spec To Handle CCPA Data Deletion Requests
- The California Data Broker Registry’s Growing Significance For Ad Tech
- California AG Submits CCPA Regs For Approval With Less Than A Month To Go Before Enforcement
- Tips For Remote CCPA Prep: Don’t Delay, Expect Enforcement In July, Wear Pants
- As CCPA Enforcement Deadline Looms, California AG Shares Latest Draft Regs
- CCPA Makes The Digital Advertising Industry Feel Like Charlie Brown
- Just Because You’re Compliant With COPPA Doesn’t Mean You’re Cool Under CCPA Or GDPR
- Marketers, Avoid These CCPA Blind Spots
- The Complete AdExchanger Brain Dump On CCPA Now That The Law Is In Effect
And P.S. California Attorney General Greenlights CPRA for Appearance on November Ballot
