According to a report from the International Association of Privacy Professionals, the California Attorney General has confirmed that enforcement of the California Consumer Privacy Act (CCPA) will not be delayed due to the Covid-19 pandemic. “We’re committed to enforcing the law as early as July 1,” said a representative of the Attorney General’s office according to the report. The statement from the Attorney General’s office goes on to emphasize the importance of data security, which may suggest that data security will be an initial focus of enforcement efforts. Media and advertising groups had previously urged a delay in enforcement by the Attorney General. The July 1st enforcement date confirmed by the Attorney General’s office reflects the enforcement date required by the statute. The Attorney General has also issued draft regulations under the CCPA. The effective date of these regulations depends upon finalization by the Attorney General and subsequent approval by California’s Office of Administrative Law (OAL). If the Attorney General finalizes and provides the regulation to the OAL before April 16, then it is likely that the regulations will become effective July 1; otherwise, if the Attorney General finalizes and provides the regulations to the OAL by July 20, then the regulations are expected to become effective October 1.[1]
Apart from public enforcement by the Attorney General, private litigants are already actively litigating claims based on the law, reflecting the fact that the law became generally effective on January 1. Current class-action lawsuits focus on notice requirements, security requirements, and opt-out requirements under the CCPA, including claims in the context of data sharing with third parties for marketing purposes (such as Facebook).
Alston & Bird has previously covered the California Consumer Privacy Act’s enactment, private right of action, and offered a webinar on operationalizing CCPA requirements.
Financial businesses subject to New York’s cybersecurity regulation (23 NYCRR Part 500) may delay filing their Certificate of Compliance until June 1, 2020. The New York Department of Financial Services confirmed the deadline extension as a response to Covid-19. The New York Department of Financial Services had previously extended the deadline from February 15 to April 15. On its website, the Department writes, “Due to the outbreak of COVID-19, the deadline for Certification of Compliance for calendar year 2019 has been extended from its original deadline of April 15, 2020 to June 1, 2020.”
___________________
[1] See Office of Administrative Law, Guide to Public Participation in the Regulatory Process (2006); California Department of Justice, Notice of Proposed Rulemaking Action (October 11, 2019); California Department of Justice, California Consumer Privacy Act Regulations: Information About the Rulemaking Process (downloaded April 2, 2020). These projected dates are an attempt to predict likely outcomes but those outcomes could change based on a number of factors (e.g., speedier review by the OAL, special request by the AG to delay or speed up enforcement, or objections by the OAL).