No CCPA Enforcement on January 1, 2020 according to AG Regulatory Timeline
In case there was any doubt, a timeline posted online recently by the California Attorney General makes it unlikely that enforcement of the California Consumer Privacy Act (CCPA) will start on January 1, 2020. Instead, businesses can expect that they will have at least a four month grace period and more likely five or six months before the CaAG begins CCPA enforcement.
The delay will occur because the SB 1121 amendments to the CCPA postponed enforcement by the AG until six months after the final regulations have been published (but in no event later than July 1, 2020). With the Office of the Attorney General anticipating publication of the draft regulations in “Fall 2019” and a mandatory 45 day period for comments required to follow it, enforcement is unlikely to begin before May 1 (at the very earliest).
Here is how we have reached this conclusion:
The Office of the Attorney General has posted online the slide deck used at the CCPA public forums. The third slide provides background on the rulemaking process which is helpful for planning out compliance efforts.
The process is:
Preliminary Activities including Economic Impact Assessment, Fiscal Impact (STD 399) and Regulation Development. The six Public Forums being conducted, which wrap up on February 13th, are a part of the Preliminary Activities. The Attorney General recommends that written comments submitted as part of the process occur before the end of February.
Notice of Proposed Rulemaking including the Initial Statement of Reasons and the Text of Regulations. The slide indicates that the Office of the Attorney General anticipates publishing the Notice of Proposed Regulatory Action
Public Comment Period allows a minimum of 45 days for the agency to receive and consider comments. The Office of the Attorney General is expected to hold public hearings during the formal public comment period.
Regulatory changes that are major will kick off a new 45 day notice period for public comment. If the changes are determined substantial and sufficiently related, the agency will provide a 15 day pubic comment period.
If there are no changes or the the changes are nonsubstantial, the agency adopts the regulations, and updates the informative digest with a Final Statement of Reasons (with summary and response to comments) as well as the Final Text of Regulations. This closes the rulemaking process.
As a result:
If the draft rules are issued around September 15th, the earliest the final regulations could be published after the 45 day comment period would be November 1st. The six month grace period for businesses would start enforcement under this scenario on May 1, 2020. The latest that enforcement can begin under the SB 1121 amendments is July 1, 2020.
Regardless of the change in enforcement, businesses are still technically required to comply with the CCPA beginning on January 1, 2020. Companies also need to be prepared for the private right of action, which is not dependent on AG enforcement.
Second CCPA Public Forum
Morrison & Foerster has published a Client Alert with information about the second CCPA Public Forum held in San Diego. The report says there were five individuals including business representatives and consumer advocates who chose to speak at the forum.
Some of the topics that were discussed included:
Definitions: Several speakers asked for terms to be clarified or for the definitions to be taken from the NIST cybersecurity framework or GDPR.
Data Subject Access Requests: A speaker proposed a standard form approved by the Attorney General to help businesses verify a consumer request.
Financial Discrimination: Asked the Attorney General to clarify how the non-discrimination provision would work for loyalty programs.
Private Right of Action for Data Breaches: A consumer advocated argued for the Attorney General to interpret the statute broadly despite the limited scope of the current language of the text. Another speaker proposed that companies which suffer a breach event even though they have a pre-existing cybersecurity plan receive an affirmative defense.
Partial Exercise of Rights: A speaker recommended that the Attorney General allow businesses to offer consumers the choice to delete some personal information but not all (or to opt out of the sale of some personal information instead of all).
Next Public Forum Sessions
The third and fourth public forums will be at the end of this week. On Thursday, the forum will be at the Cesar Chavez Community Center in Riverside. On Friday, it will be held at the Ronald Reagan Building in Los Angeles.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.