The COVID-19 pandemic has led to the widespread interruption of operations for businesses around the world. A large proportion of these businesses not only have a significant internet presence, but many have increased their online activities due to the need to conduct business remotely in order to comply with shelter-in-place orders. Over the past several months, many of these businesses have also been scrambling to comply with the data privacy requirements set forth under the new California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. Despite the large-scale business disruptions that have occurred in relation to the coronavirus emergency, CCPA enforcement went into effect on July 1, 2020. However, some of the CCPA’s built-in extensions of time may provide businesses with some relief if they are having compliance difficulties due to the pandemic.
The CCPA was passed by the California Legislature in 2018, and many view it as being somewhat akin to the European Union’s General Data Protection Regulation (GDPR) with regard to the broad scope of data privacy reform it seeks to enact. A number of other US states are in the process of crafting similar statutes, and are looking to some of the CCPA’s provisions in determining how to expand their data privacy and protection laws.
In general terms, the CCPA implements new data privacy and disclosure rules for any for-profit entity (in any location) that collects the data of California residents and has at least $25 million in annual gross revenues, collects the data of at least 50,000 California consumers, households, or devices per year, and/or makes 50% or more of their annual revenue from selling Californians’ personal information. Even if you are unsure as to whether your business is subject to the CCPA, it may be wise to comply with its mandates given that consumer data privacy laws are likely to become more prevalent and even more stringent in the future.
The CCPA requires covered businesses to be transparent with consumers about the types of personal data it collects from them, where they get this information, why they collect it, and who they share it with. The kinds of personal identifying information that is subject to these rules includes people’s names, addresses, employment information, biometric data, products or services purchased, email addresses, and official numbers such as passport numbers. An exception to this requirement exists for personal information that is publicly available.
Under CCPA requirements, California residents have a right to know that your business is collecting their personal data, a right to access the data you have collected on them in a “readily usable format,” the right to have you delete their personal data from your systems, the right to opt out of having their personal data sold or shared, and the right to not be discriminated against for exercising their rights under this law.
CCPA Enforcement During COVID-19
Since the onset of the coronavirus emergency, members of the tech advertising industry had asked to delay the enforcement date, but with no success. Conversely, privacy advocates have pointed out that, especially with the surge in remote work and other online activities occurring in response to the coronavirus outbreak, consumer data privacy is now even more important. The CCPA may be enforced retroactively back to January 1, 2020. (The law also has a 12-month look-back period related to access to personal data.)
Businesses struggling to keep their basic operations going in light of the COVID-19 pandemic may be understandably concerned about their ability to be responsive to CCPA requests from consumers during this time. This is especially so given that there has been confusion surrounding the implementing regulations, that non-compliance carries penalties of up to $7,500 per incident, and that consumers can also sue for violations.
Until clearer guidance becomes available, the compliance and enforcement waiting periods built into the CCPA may offer businesses some relief. For instance, companies have 45 days to respond to consumer requests to exercise their rights to know and be deleted under the CCPA, and they can have another 45 days provided that they give notice to the consumer. Further, in the enforcement context, businesses have a 30-day period to cure any violations that state officials notify them of before punitive action occurs. These timeframes may provide companies with at least the opportunity to determine how to respond to right to know and right to be deleted requests from consumers (who are limited to two requests per year as to any given company), and bring their procedures into statutory compliance if necessary.