CCPA Update: California Attorney General Comments on Enforcement
With the compliance deadline of the California Consumer Privacy Act (“CCPA”) quickly approaching on January 1, 2020, many companies are anxious as to how the California Attorney General (“Attorney General”) will prioritize enforcement of the new act. While the enforcement date of the CCPA will not take effect until the earlier of July 1, 2020, or six months after final regulations are issued by the Attorney General’s office, this date will almost certainly be July 1, 2020, as the predicted date of the final regulations is July 1, 2020. We discussed the Attorney General’s proposed guidance in a previous article. With many ambiguities remaining in the act, itself, and the draft regulations only addressing some concerns, many companies are left wondering whether their compliance efforts will withstand the enforcement scrutiny by the Attorney General.
However, recent comments made by Xavier Becerra, the Attorney General, in an interview with Reuters shed some light on how, at least initially, his office may approach enforcing the CCPA. General Becerra stated companies that “demonstrate an effort to comply” will be looked upon favorably, whereas companies that do not demonstrate these compliance efforts to operate properly will be made an “example of” to others. While the comments are neither definitive nor represent the Attorney General’s formal enforcement policy, companies taking a proactive approach to CCPA compliance should feel justified in the amount of time and resources dedicated thus far. For all others, the Attorney General’s comments underscore the importance of, at minimum, conducting a CCPA analysis to determine what your company’s obligations, if any, may be under the CCPA, and what efforts are required to meet such obligations by the enforcement date.
Importantly, companies with CCPA compliance obligations need to be aware that enforcement investigations and actions brought by the Attorney General are not the only type of legal actions they must be ready to defend—there remains the threat of class action lawsuits brought against companies that experience data breaches affecting California residents. The CCPA provides individuals with a private right of action in the event a company experiences a data breach and failed to implement reasonable and appropriate security measures. By providing for a private right of action, the CCPA allows individuals to get past the threshold issue of legal standing—a legal doctrine relied on by multiple companies to get individual lawsuits and class actions dismissed early in litigation. Additionally, this private right of action also comes with statutory damages, meaning it will likely be more difficult for companies to argue a consumer experienced no damage resulting from a data breach, as damages are explicit in the act itself.
The CCPA is a novel and complex privacy law and remains a point of evolving compliance, but one thing is clear from these predicted legal enforcements of the act: demonstrating efforts to comply and documenting such efforts will be extremely important as the enforcement landscape develops.