Skip to main content

Groups Seek to Bump CCPA Enforcement Date Amid Coronavirus Confusion

by Chris Brook on Monday March 30, 2020

Contact Us
Free Demo

As with many things currently, details of the California Consumer Privacy Act are unclear. That, plus confusion around COVID-19, has many interest groups hoping enforcement around the law is postponed.

A coalition of trade groups are urging California's Attorney General to bump back the California Consumer Privacy Act's (CCPA) July 1 enforcement date another six months, to 2021, in light of the COVID-19 pandemic.

The outbreak has upended life across the world and led to uncertainty. For advertisers, and assuredly other organizations that process data, its disrupted plans to guarantee compliance with the law.

In a letter to the AG earlier this month, The Association of National Advertisers (ANA) and 33 other groups, including those representing the interests of credit unions, insurance companies, amusement parks, magazines, and financial services companies, to name a few industries, said that COVID-19 has "encumbered businesses in their earnest efforts to operationalize the draft rules prior to July 1, 2020” and that enforcement around CCPA should be delayed until January 1, 2021.

Those plans have been almost certainly been complicated by the fact that the rulemaking process for the CCPA hasn't been finalized yet. California's Attorney General Xavier Becerra is still mulling over whether modifications should be made to the proposed regulations.

It's not the first time the ANA and other industry groups have pressed Becerra to postpone enforcement of the CCPA. The groups warned back in January that it'd be difficult for companies to effectively implement the regulations without the rules being clarified further. At the time, the groups suggested that the law not be enforceable until six months after the final rules are released, rather than in July.

The trade groups are now insisting that by and large, businesses won't have the capacity or time to align their plans with the CCPA's final regulatory requirements whenever they’re ready.

“Creating procedures and processes to comply with a law like the CCPA takes time, testing, and significant planning and foresight,” the letter reads, “Even in the most favorable of circumstances, presuming that companies will be able to achieve full compliance with brand-new substantive obligations within mere months of those obligations becoming final is an unrealistic and daunting expectation.”

The groups are pointing out that language in the CCPA says the AG cannot bring an enforcement action until six months after the legislation goes into effect - January 1, 2020 - but that there’s isn’t any language in the law that says Becerra can’t delay it further.

Advocacy groups, like the advocacy arm of Consumer Reports, are urging the AG to do the opposite and uphold the current CCPA enforcement date, acknowledging that many businesses have had a year to prepare for complying with the essentials of CCPA.

It seems as if ANA’s letter was partially spurred by a second set of modifications to the proposed rules issued by the AG earlier this month. Those modifications, issued on March 11, made a few minor tweaks to the CCPA, including how it views "personal information" and "financial incentive" and other CCPA intangibles.

The "personal information" modification erased guidance that said if a business collects IP addresses but doesn't link them to consumers, they wouldn't be considered personal information. The CCPA still applies to data that “could be reasonably linked, directly or indirectly, with a particular consumer or household.”

The "financial incentive" modification expands the definition of the CCPA's non-discrimination provision, making it so any business, program, benefit, or other offering can't prohibit financial incentives, price, or service differences if a consumer has exercised their CCPA rights.

The second set of of the Modified Regulations - technically the third version - also nixed the "Do Not Sell My Personal Information" button, said a business can't disclose a consumer's sensitive personal data in response to a request to know, and said businesses need to ask consumers requesting to delete their data if they want to opt-out of the sale of their personal information as well.

The deadline to submit written comments on the second set of modifications elapsed on Friday, meaning the AG's office is likely reviewing them currently for a not too distant future release. Every release has had a series of edits and revisions and it's safe to assume the next iteration will too

Still, while it's unclear whether the CA AG office will honor the request made by the trade associations, one thing is almost certain: The CCPA will be in a different shape this time next month than it is today.

Tags:  Data Privacy Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.