Data Privacy

CCPA Enforcement Date Sticks Despite COVID-19, Could Spur Federal Data Privacy Rule

July 13, 2020 – Although more than 65 companies and industry organizations requested that enforcement of the California Consumer Privacy Act (CCPA) be delayed beyond the July 1 effective date, California Attorney General Xavier Becerra asserted on July 1 that enforcement begins now, despite the COVID-19 pandemic and the fact that the final rulemaking package was not submitted to the California Office of Administrative Law (OAL) for its review to ensure the rules comply with various statutory standards until June 1.

This state action, along with challenges presented by the pandemic, “raise the stakes for, and ultimately enhance the prospects for meaningful federal legislation on data privacy and security” after the November elections, according to Coalition for Healthcare Communication Executive Director Jon Bigelow.

“It has been fully two years since the CCPA was enacted, with an effective date of Jan. 1, 2020, and an enforcement date of July 1. But because the original bill that was rushed through the California legislature contained internal inconsistencies, there has been a long process of modifications and clarifications overseen by the California Attorney General’s office,” Bigelow explained. Although the final rules were issued on June 1, Gov. Gavin Newsom issued a pandemic-related extension to the normal 30-day approval period, so the OAL has until Oct. 1 to complete its review,” he said.

The groups requesting the delay in enforcement date “believe that the delay would allow time for the OAL to issue its decision and for companies to understand and get into compliance with the final rules; it also would allow consideration of legal questions on certain elements of the proposed rules, and it would be beneficial at a time when all companies are under operational stress due to the COVID-19 pandemic,” Bigelow noted.

He remarked that the CCPA is the most sweeping law related to data privacy enacted in this country so far, and by virtue of the size of California’s population and economy, it sets the tone for companies across the nation. The CCPA allows consumers to request information on what data a business is collecting about them and from where, and to request that the business delete that data (with certain exceptions). Consumers also can ask whether a company is selling their data and to whom, and they can request that their data not be sold. It also provides that a business may not discriminate against consumers based on their having exercised their CCPA rights. The CCPA will be enforced primarily by the Attorney General, but it also allows consumers to file lawsuits for certain infractions.

Meanwhile, a measure to modify CCPA protections and create a new enforcement agency—the California Privacy Rights Act – will be on the ballot in November, according to Bigelow, who added that Nevada passed its own privacy bill in 2019, and Hawaii, Louisiana, Washington, and other states have introduced more than 25 privacy bills so far in 2020. These bills often share goals and general features, but they differ in the important details that determine whether an organization is in compliance.

“Of course, the nightmare scenario for American businesses and nonprofit organizations is to have many or all 50 states create their own rules for protecting data privacy and security,” stated Bigelow. He contends that when key issues in data protection involve online retailers, national financial institutions, global social media platforms and search engines, electronic medical and insurance records, geolocation on mobile apps, platforms for virtual conferences, and so on, “clearly data use and misuse crosses state lines. Organizations would be forced to keep track of and comply with a kaleidoscope of shifting rules, and the level of protection afforded consumers would vary depending on where they reside.”

All of this increases the importance of enacting one coherent program for regulating data privacy and security at the federal level. Members of Congress in both parties understand this, Bigelow said, and – pending new developments in the pandemic – “a bipartisan effort to enact a federal law is highly probable in 2021.”