Enforcement of CCPA Begins July 1st While Regulations Still in the Offing

June 10, 2020 David Holtzman

The California Consumer Privacy Act of 2018 (CCPA), which took effect on January 1, 2020 requires businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and to have it deleted.  The CCPA defines these terms very broadly and apply to many businesses throughout the U.S. that collect the personal information of California residents through their physical or digital presence in the state.  The California Attorney General was given authority to police the CCPA, but the state legislature delayed enforcement until July 1, 2020.

The CCPA was written and passed hurriedly in late 2018 to avert a proposed ballot initiative that would have imposed even more stringent privacy standards. The rush to preempt the ballot initiative led to provisions in the law that included a number of ambiguous and conflicting requirements. The California legislature left it to the attorney general to resolve these issues through guidance and regulations implementing the statute.

With the start of enforcement of the CCPA arriving in a few days, the journey to adoption of the implementing regulations are moving at a snail’s pace. The attorney general’s proposed regulations were submitted for the California’s Office of Administrative Law for review on June 2nd.  Depending on the state’s administrative rulemaking process, formal adoption may not take place until as late as October.

The complexity and sheer size of the regulations to implement the CCPA (over 11,500 words on top of the 10,000 words in the CCPA statute) make reading, understanding and complying with the requirements challenging.  A small sample of the regulations that will impact all businesses required to comply with the CCPA involves the notices provided to consumers about the personal information collected about them.  The new rules will require that notices be accessible for consumers with disabilities, and for online notices to follow recognized industry standards such as the Web Content Accessibility Guide (WCAG), version 2.1.  Another standard in the CCPA regulations will require all businesses to implement and maintain reasonable security procedures and practices to maintain the records of consumer requests invoking rights given under the statute.

While most attention surrounding the CCPA has focused on how it gives California consumers the rights to notice, choice and control over the personal information collected by businesses, receiving less attention are important provisions creating a duty to have reasonable security measures that prevent data breaches of personal information. Unlike the CCPA’s consumer privacy provisions which are enforced by the attorney general, consumers are given the right to sue when a data breach results in the loss or theft of their personal information. The CCPA’s provisions giving consumers a private right of action when their personal information is exposed through a data breach took effect in January and has already resulted in a number of high-profile class-action lawsuits brought by California residents.

Businesses face more uncertainty as temporary exemptions for some requirements of the CCPA sunset at the end of this year. The California legislature exempted personal information collected from job applicants, employees, and their families (HR data) from many of the rights provided to consumers for transparency and choices for how their information is shared or sold. Another one-year exemption set to end applies to personal information of consumers who are employees or owners of an entity whose data was collected in connection with business-to-business relationship (B-2-B Data).

In addition, a new ballot initiative to be voted on in November calls for further expansion of California’s consumer privacy protections. The California Privacy Rights Act (CPRA or CCPA 2.0) would significantly expand the rights of consumers over how businesses collect and share their personal information including a new right to correct information about them, creation of a state agency to enforce privacy law in California, and clarifying that all businesses have an obligation to protect the security and prevent unlawful disclosure of personal information.  If a majority of California voters support the CPRA, most provisions would not become effective until January 1, 2023.  However, its approval by voters would immediately extend the current exemptions for HR and B-2-B data for an additional 2 years.

There are a number of problems in CCPA that require clarification, and there is the possibility that the California legislature may further amend its provisions or that the attorney general’s regulations will be further delayed. Even though enforcement of the CCPA will begin as scheduled, some may be tempted to hold off assessing how the law may apply to their organization until all the kinks have been worked out. The bottom line is that the scope and reach of the new law to entities that do business in California makes waiting for the attorney general and legislature to get their act together is a very risky proposition.

UPDATED: June 11, 2020
The movement to put the CPRA e on the ballot for the November 2020 election has been thrown into uncertainty. The advocates behind the effort have filed suit in the California courts to resolve a controversy that could prevent the initiative from being eligible to be voted on this year. The outcome will have a direct impact on new rights for consumers to exercise choices over HR and B-2-B data collected by businesses that would automatically take effect in January 2021. Stay tuned.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
FBI Warning Order: Increased and Imminent Cybercrime Threat Coordination
FBI Warning Order: Increased and Imminent Cybercrime Threat Coordination

Read more about the Joint Cybersecurity Advisory coauthored by the HHS, CISA, and FBI.

Next Article
Right-to-repair Medical Equipment Finally Here?
Right-to-repair Medical Equipment Finally Here?

iFixit has provided consumers with mountains of literature including manuals. Should the medical device com...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!