Virus No 'Excuse' to Delay CCPA, Says California Senator; AG Sticks With July 1
The state's attorney general isn’t backing off plans to enforce the California Consumer Privacy Act starting July 1 despite a push by business groups to delay it by six months amid COVID-19. Lawyers are advising businesses to expect enforcement that day. The public health crisis must delay some things but shouldn't postpone this, said California Senate Judiciary Committee Chair Hannah-Beth Jackson (D) in an interview.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
About 60 business groups including the Association of National Advertisers (ANA), California Chamber of Commerce (CalChamber) and TechNet urged AG Xavier Becerra (D) last week to delay enforcement until Jan. 2. They argued businesses dealing with the coronavirus may lack extra operational capacity. Working at home means people involved with compliance “are not present in the office to undertake such tasks,” they said.
“We're committed to enforcing the law starting July 1,” an AG office spokesperson emailed Thursday. “We encourage businesses to be particularly mindful of data security in this time of emergency.” The AG hasn’t asked Jackson “about any potential ability to legislate or to get any kind of extension,” the state senator said. “It’s my expectation that they’ll start enforcing ... July 1.”
ANA has received “no signal from the attorney general that he is extending the time, but you can say that all you want and that doesn’t mean people are going to be able” to comply on time, said Group Executive Vice President-Government Relations Dan Jaffe in an interview. “The pandemic dramatically escalates the kinds of problems and concerns that people are facing.”
Jackson would rather see businesses “delay collecting and selling our personal information," she said: don’t use COVID-19 as the latest “excuse." It’s “more important that we make sure that they follow these laws because we’re actually using our computers and technology [more] than ever before.” The lawmaker opposes giving businesses more flexibility. Lawyers and administrators working on compliance aren’t “binge-watching Netflix all day,” she said. “They’re working.”
“We’re not asking to be let out,” but “give us time before you bring down the hammer,” Jaffe said. Becerra keeps revising proposed rules and it’s unclear when they will be final, Jaffe said. Gov. Gavin Newsom’s (D) recent executive order on coronavirus, allowing an extra 60 days to the normal 30-day deadline to approve regulations, adds more uncertainty, Jaffe said.
Businesses have had a lot of time to prepare for CCPA, and the law has been in effect for four months, said Electronic Frontier Foundation Legislative Activist Hayley Tsukayama. “There is potential that actually this is the most vulnerable time for consumers when it comes to data collection,” she said. “This is not the time to delay.”
"Business owners are not asking to avoid compliance, we are asking the Attorney General not to sue people until at least January 1, 2021," emailed CalChamber Policy Advocate Shoeb Mohammad. "Even if a local restaurant in California could afford to hire a lawyer today, there are no final regulations for that lawyer to rely on."
“The regulations keep changing and the timeline to implement those changes gets shorter as the July 1 deadline gets closer,” emailed Robinson Cole privacy attorney Deborah George. “The request by the trade groups is to delay enforcement actions by the Attorney General, not CCPA compliance overall.” Delaying enforcement would let firms focus on “critical technology needs,” she said. “Businesses are focused on COVID-19, whether it is to completely change the way they do business or whether it is to survive.”
“The anxiety is reasonable,” emailed Center for Democracy & Technology Privacy and Data Project Director Michelle Richardson. “But the CCPA does not have a private right of action and the attorney general has said he only has the resources to bring a few cases a year. There is zero reason to believe that the AG would expend his limited resources on prosecuting good faith failures to meet statutory requirements in the face of a true emergency.”
Becerra “will want to make a big splash with the initial few enforcement cases, but likely will focus on companies that aren’t impacted by COVID-19, like social media,” emailed Wiley attorney Joan Stewart. She hasn’t “heard anything that indicates the AG will be sympathetic” to businesses’ request for delay.
Acting like enforcement starts July 1 is “best practice,” Farella Braun attorney Julia Kropp blogged March 25. Unless Becerra "unexpectedly changes" his position, "companies must continue to keep CCPA compliance in mind," Mintz attorney Natalie Prescott wrote March 26.
Document virus disruptions, the Hanson Bridgett firm advised Tuesday. “While we believe that it is unlikely that the AG will look the other way if businesses cite COVID-19 as a reason for failing to meet the requirements of CCPA, we would expect it to be a mitigating factor.”