Key CCPA Compliance Dates – The Effective Date and Enforcement Deadline for the CA Consumer Privacy Act
The compliance date for the California Consumer Privacy Act (CCPA) is January 1, 2020. Covered businesses under the law will need to put appropriate solutions in place to meet the start of the 2020 effective date in order to be able to handle the right to access, the right to delete, the right to opt-out (or opt-in for children under 16 years of age), and the other requirements of California’s new privacy law.
The effective date was set at 18 months from the passage of AB-375. This deadline was shorter than the European Union gave companies to prepare for the General Data Protection Regulation (GDPR). In addition to the years of notice they had as the lawmakers negotiated the terms of the bill, companies were also given two years from its adoption before enforcement of GDPR began.
However, companies did get a small break with the CCPA as enforcement by the Attorney General will not start on the effective date. The legislature changed the CCPA enforcement date as part of SB 1121 at the end of August 2018. The SB 1121 amendment delayed enforcement by up to six months, depending on when the California Attorney General issues the final regulations following a public discussion process. Instead of beginning on January 1, 2020, CCPA enforcement will instead begin six months from the date that the AG issues the final regulations, although in no event later than July 1, 2020.
If the Attorney General ultimately publishes the final regulations on or before July 1, 2019, then there will be no change in the start date for enforcement of the CCPA. However, this time frame appears unlikely. The California Attorney General has published a tentative timeline for the publication of the draft CCPA regulations in Fall 2019. The Attorney General would then have a public comment period and consider any revisions necessary to the draft regulations.
If this projected timeline is ultimately adhered to by the Attorney General, the CCPA enforcement date is likely to start no earlier than April 2020. If the public comment period is extended following the publication of the draft rules, or substantial revisions are made that necessitate more public comments, then it could be delayed even further and approach the deadline for the start of enforcement at the beginning of July.
In any event, it appears unlikely that enforcement will begin on January 1, 2020 given the current anticipated schedule. AB 375 originally called for the Attorney General to issue rules and procedures for the CCPA within one year of its passage. The Attorney General previously indicated in a letter to the California legislature that it would be difficult to meet this timeline. There is no reason to anticipate a surprise here, particularly as the legislature is still considering potential CCPA amendments.
Nevertheless, the delay caused by the change from SB-1121 technically only covers enforcement by the Attorney General. It does not delay the requirement to implement the consumer privacy rights for businesses. It also does not delay the start of any cause of action for negligent data breaches. Businesses still need to be ready on January 1, 2020 to make the additional privacy disclosures required by the law, offer consumers the right to opt out of the sale of personal information, as well as provide them the right to access and delete their personal information. They also need to have in place the appropriate cybersecurity protections in order to minimize the risks of a lawsuit due to a negligent data breach.
Here is the specific delay language from Section 1798.185(c): “The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
Businesses may have additional time before enforcement due to the 30 day period to cure noncompliance. If a business can cure a problem with its privacy compliance and follow the procedures set forth in the law to do so, then there has been no violation of the law and they will not be subject to a government, class action or individual consumer lawsuit for the failure to comply with the law.
Who needs to comply with the law? Any person or organization doing business in California with more than $25 million in annual revenue, any business collecting information on 50,000 or more people or devices, and any business that makes more than 50% of its annual revenue from the sale of personal information.
In any discussion of the start to enforcement, it is worth noting that several sections of the law are scheduled to be clarified in regulations to be issued by the Attorney General. Those regulations are intended to be announced before the beginning of the enforcement period.
The legislature also may make some substantive changes to the California Consumer Privacy Act in 2019. AB-375 was pushed through the legislature in a very short amount of time due to the deadline for withdrawal of the privacy ballot initiative by the organization sponsoring it. SB 1121 provided for “technical corrections” to clean up the law in August 2018, with more substantive discussions delayed until the 2019 legislative session. During the 2019 legislative session, more than a dozen bills were introduced in the Assembly and Senate to amend the CCPA. Although some of them are relatively minor, a few make substantial changes to the law that may impact compliance efforts.
If you are looking for software to comply with the California Consumer Privacy Act, call Clarip at 1-888-252-5653 for a demo of our enterprise privacy software, which includes data mapping, a DSAR Portal and consent management for California.
Learn more about California’s new law:
Overview of the California Consumer Privacy Act
Right to Opt Out
Right to Access
Right to Delete
Opt In Consent for Kids
Effective Date for Compliance
Application to non-CA Businesses
Do Not Sell My Personal Information Link
Financial Incentives for Information Sharing
Deidentified and Aggregate Consumer Information
Government Fines and Consumer Damages
Text of AB-375
Blog Posts on the Privacy Law:
Will California’s Privacy Law Extend to the Rest of the Country?
Big Day for California Privacy Law
California to Pass New Privacy Law
California Consumer Privacy Act Expected on November Ballot