Data Security Law Blog

New Year’s Resolution 2019: Compliance with California’s Consumer Privacy Act

 

With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.

We have covered the CCPA’s enactment, amendments, and relevance to New York businesses. As we have noted, it is the most sweeping data privacy law in the United States, and has stirred substantial industry opposition, as well as confusion. To avoid repeating the mad dash to compliance from before the GDPR took effect last May, companies affected by the CCPA will need to resolve spending a significant amount of time this coming year working out an implementation and compliance program for the new law. 

Before digging into the specifics, we wanted to address the most pressing question for many organizations covered under the CCPA: by what date should covered businesses endeavor to be in compliance?

The CCPA becomes “operative” on January 1, 2020. Cal. Civ. Code § 1798.198(a). But the law also requires that the California Attorney General write and adopt regulations supporting it by July 1, 2020, and delays the AG’s exclusive power to bring enforcement actions under the CCPA until after the regulations are adopted. Id. §§ 1798.185(a), (c). Thus, depending on regulatory prerogatives and industry pushback, is it possible that the regulations underlying the CCPA will not be ready when the CCPA goes live on January 1, 2020?  Perhaps.

There are, however, several reasons that organizations should start setting the wheels in motion for a January 1, 2020 compliance date, whether or not the AG has adopted regulations by then.

  • The AG’s July 1, 2020 deadline is the latest the AG may begin enforcing the CCPA. While it has not yet submitted any regulations for public comment, should it adopt regulations during 2019, the AG could—at least in theory—begin bringing enforcement actions as early as January 1, 2020.
  • Despite language that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law,” id. § 1798.150(c), is there a risk that plaintiffs will use potential violations of this law as a predicate for claims, for example, under California’s Unfair Competition Law?  See Cal. Bus & Prof. Code § 17200 (including unlawful business acts or practices under the definition for unfair competition).
  • More generally, emphasizing and smoothly implementing compliance with new laws like the CCPA can help create a strong and well-informed culture of compliance throughout an organization, which will only serve to benefit all stakeholders.

Over the next few months, stay tuned as we take a deeper dive into the CCPA to explore its significant requirements, hurdles and nuance.