Just a friendly reminder from the Taft Law Privacy and Data Security Practice Group that the Attorney General of California will commence enforcement of the California Consumer Privacy Act (CCPA) on July 1, 2020. While we have all understandably been focused on the many important issues of this year, both personally and professionally, let us not forget that the Attorney General of California explicitly declined to extend the enforcement date due to COVID-19 for this first of its kind state privacy law.

While it is obviously late in the game, and impossible to provide you all the ins and outs of CCPA compliance in this single post, you can always check older posts on our Taft Privacy & Data Security Insights.  That said, it doesn’t mean you can’t get started or continue making progress to understand and meet any applicable requirements for your business. Here are some quick points and additional resources to consider.

  1. Know the rules. The basic tenants of the CCPA are clear and not that much different than what we saw with the GDPR.  First off, you should take time to make sure the CCPA even applies to your business.  Consulting counsel should always be part of your compliance plan with any law, but this checklist might help you take a first pass at seeing if you need to meet the requirements of the CCPA as a “business” or a “service provider.”
  2. “Compliance” is in the eye of the beholder. What remains to be seen is clear guidance on how the Attorney General’s office will enforce the CCPA on several topics including cookies, what a “sale” is, and how penalties and liability may be assessed.  The Attorney General office’s guidance in the past several months has raised as many questions as provided answers. We have previously summarized this guidance.

However, like many new laws, we expect to learn much more through the enforcement actions than the text of the law itself.

  1. Don’t stop working on it. While a lot remains unknown, which is always true with privacy and security, the name of the game is making progress in all aspects of your data processing compliance.  Whether you think you are “compliant” or not, don’t stop working to bring your data processing efforts in line with the requirements of the CCPA (and any privacy law for that matter).  Indeed, even the Attorney General’s Office has already stated it will only pursue the most egregious and flagrant CCPA cases initially.  So, whatever you do, do not punish the good for the perfect.  Just like your summer beach body workout, you may not be ripped by 7/1 but every step is a step towards improvement counts.