COVID-19 Fuels Heated Fight Over CCPA Enforcement Timing

By Allison Grande
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Banking newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (March 27, 2020, 8:39 PM EDT) -- The coronavirus pandemic has escalated tensions over whether companies have the necessary time and resources to fully comply with California's landmark privacy law by July, but even a temporary enforcement reprieve wouldn't give businesses a free pass for their current conduct, experts say.

While the California attorney general's office has said it has no intention to cave to mounting pressure from businesses to delay enforcement of the California Consumer Privacy Act until early next year, calls for such a pause are only likely to intensify in the coming months as the novel coronavirus forces companies to reevaluate their priorities and stretches IT departments thin, attorneys said.

"Companies understandably need to focus now almost singularly on the health and safety of their employees and consumers and on business continuity," said BakerHostetler partner Alan Friel, whose firm filed comments with the attorney general on March 16 arguing for the planned July 1 enforcement deadline to be extended by six months. 

"Just as tax return and payment obligations have been pushed back to allow time and resources to be directed to COVID-19 response, so should the CCPA enforcement date," Friel said.

That stance has faced resistance from advocacy groups such as Consumer Reports, which has urged the state to stay the course in order to ensure that the CCPA's robust consumer protections are being properly implemented during these unprecedented times.

The Electronic Privacy Information Center has also opposed the bid to delay enforcement, with its president, Marc Rotenberg, telling Law360 that he was "very disappointed" to see the business community attempting "to use a public health crisis as a reason to delay implementation" of the law.

"That is both reckless and irresponsible," he said. 

However, even if the California Chamber of Commerce, UPS, the Association of National Advertisers and others are successful in their bid to secure a delay or even a formal assurance that the state will go easy on enforcement, companies can't just write off their obligations to adhere to the law, which took effect Jan. 1, or to implement regulations that the attorney general is still drafting.

While Attorney General Xavier Becerra isn't allowed to begin bringing enforcement actions until July, nothing prevents the regulator from coming down on companies for conduct that dates back to the law's Jan. 1 effective date, and the attorney general has already said he intends to hold businesses accountable for their actions across CCPA's entire lifespan.

"Even if the enforcement deadline were to be pushed out, that doesn't mean that if a company commits an egregious violation today, that the attorney general wouldn't go after that next year and look at it in determining what penalty that company should face," said Jean-Marc Chanoine, global head of strategic accounts at software company Templafy.

Additionally, the bill's private right of action that allows consumers to bring lawsuits for data breach-related claims is already in effect and will continue to be wielded. And California cities and counties are separately empowered to go after companies for potential CCPA violations using the state's unfair competition law, said Travis LeBlanc, vice chair of the cyber and data privacy practice at Cooley LLP and onetime senior adviser to former California Attorney General Kamala Harris.

"It's important to be mindful that there are still other actors in the enforcement ecosystem that can continue to proceed irrespective of the attorney general's decision," LeBlanc said.

In their March 17 letter to the attorney general, nearly three dozen trade organizations and companies representing the tech, telecom, retail, banking, insurance and other sectors argued that now was "not the time to threaten business leaders with premature CCPA enforcement lawsuits."

They said the widespread shift to remote working has complicated the already formidable task of building and testing processes to comply with the law's groundbreaking data access and transparency requirements by forcing key staff to work off-site.

Legal experts who advise companies on CCPA compliance agreed that having offices empty out and IT staff shift their focus to keeping corporate networks running has significantly impacted companies' ongoing efforts to stay up to speed with their still-evolving obligations. 

"The CCPA is one of those laws that requires collaboration across a range of different business units, and while there are some great tools for online collaboration out there, it's harder to be able to coordinate enterprisewide on an initiative as broad-reaching as the CCPA when people are physically apart from each other," said Ballard Spahr LLP partner Kim Phan.

Under the CCPA, which is the first law of its kind in the nation, consumers are empowered to ask companies to disclose what personal information they hold about them, to request the deletion of that data and to opt out of the sale of that information.

Complying with the law requires far more than "just drafting a policy and rolling it out," said Behnam Dayanim, the head of Paul Hastings LLP's privacy and cybersecurity practice. Companies also need to understand where personal data is kept and how it's flowing through their organizations, and to set up systems to respond to consumers who are exercising their new rights.

Companies are particularly concerned about the health crisis' impact on their ability to disclose the personal information they hold about individuals within 45 days of receiving requests for that data. Given that several corporate departments as well as third-party vendors often hold information relevant to these requests, the obstacles that remote working presents may make it difficult for companies to meet this already-tight deadline, attorneys said.

"CCPA compliance is still happening, but there's a slowdown," said Amy Lawrence, counsel in the privacy group at Frankfurt Kurnit Klein & Selz PC, noting that people might be slower to respond to emails or not have the resources or ability to respond to questions until they get back into the office.

Business groups, in both their latest letter and a separate January correspondence seeking a similar enforcement delay, have also urged the attorney general to take into account that the regulations meant to help guide companies' implementation of the novel law haven't been finished.

"The fact that the proposed regulations are not yet final and continue to be revised by the AG's office has made staying in step more of a challenge even under the best of circumstances, which these obviously are not," said Mark Lyon, chair of the artificial intelligence and automated systems practice group at Gibson Dunn & Crutcher LLP.

The attorney general's office released its initial draft regulations in October, outlining guidance on key provisions such as how to respond to consumer data requests and how to avoid discriminating against customers. The office has tweaked the regulations twice since then and is expected to again issue revisions once it considers the latest round of public comments that were due March 27.

With each draft, the state has made changes that impact the policies and procedures that companies have put in place, such as including a picture of what a sales opt-out button should look like in one draft only to remove that image in the next version.

"The changes may not look major, but when you're trying to develop a system for compliance, these minor changes have a substantial operational impact," LeBlanc said.

Advocacy groups have countered that there's no reason to delay enforcement of a law that was put on the books in June 2018 and has been in effect for nearly three months.

In comments filed with the attorney general Thursday, Consumer Reports argued that sticking with the planned enforcement deadline was vital to incentivize companies to comply with the new obligations, especially at a time when consumers are spending more time online in the wake of the COVID-19 crisis.

"If these rules are voluntary, then companies are just going to flout them," Maureen Mahoney, a policy analyst at Consumer Reports, told Law360. She said many companies have already been evading compliance with the CCPA by taking steps such as "claiming exceptions that don't exist to avoid putting up do-not-sell buttons."

In response to these competing arguments, an adviser to the California attorney general has said that "right now, we're committed to enforcing the law upon finalizing the rules or July 1, whichever comes first."

"We're all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it," the adviser added. "We encourage businesses to be particularly mindful of data security in this time of emergency."

While putting off the enforcement deadline would provide a measure of comfort to companies who had planned to use the next few months to finalize their compliance efforts, the state doesn't necessarily need to delay enforcement to provide the breathing room that companies are seeking, attorneys said.

"It's likely that some companies are hoping for the California attorney general's office to exercise regulatory discretion when it comes to enforcement, even if it doesn't adjust the enforcement deadline to account for some of the situations that companies are facing right now," said Hogan Lovells partner Bret S. Cohen.

Several regulatory agencies in the U.S. and abroad have issued statements in recent weeks signaling relaxed enforcement postures in light of the escalating coronavirus threat, including the Federal Trade Commission and the U.K.'s Information Commissioner's Office.

A public pronouncement like that from the California attorney general that "recognizes the difficulties that businesses are facing at this time and gives a little more leeway in terms of the timing of compliance" would be a big help to companies, Cohen said.

Reggie Pool, senior director at HBR Consulting, said companies generally aren't looking at the current health crisis as an excuse to ignore their compliance obligations and that any form of relief from enforcement wouldn't change that outlook.

"Organizations aren't trying to delay on purpose, but the coronavirus outbreak has caused priorities to change," he said.

In pushing for the current enforcement deadline to stand, Consumer Reports has argued that companies making good-faith efforts to comply with the law shouldn't have anything to worry about, given that the attorney general's office has already made it clear that it only has the resources to bring a few enforcement actions per year and that it's planning to focus on prosecuting "only flagrant violations" of the CCPA.

LeBlanc, the former senior adviser to the attorney general, agreed that even if enforcement begins as planned, it will likely be limited. The regulator, which will have to deal with coronavirus-related disruptions of its own, is expected to kick off enforcement by issuing a round of civil investigative demands, and LeBlanc said he would be "shocked" if these investigations targeted more than a handful of companies suspected of committing the most egregious violations.

"Both the attorney general and industry are trying to steer through the waters toward the July 1 enforcement deadline, and coronavirus is a tidal wave that no one was expecting," LeBlanc said.

--Editing by Aaron Pelc and Alanna Weissman.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!