March 24, 2020
As of March 11, 2020, the California Attorney General issued another round of proposed California Consumer Privacy Act regulations. Notably, this round of regulations, beyond some formatting modifications, is far less comprehensive in scope than the draft regulations published in early February, but did have a few substantive areas of interest.
The following are substantive revisions that appear to impact a broader scope of businesses:
The full draft regulations in comparison form may be found at this link. A synopsis of the draft regulations previously issued in February is available here.
The current comment period concludes on March 27, 2020. Questions linger as to whether CCPA enforcement timing will be impacted by COVID-19. On March 17, several large trade associations and companies filed a request for temporary forbearance of CCPA enforcement until January 2021. Request letter available at this link. However, an advisor to the Attorney General recently commented “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” Given the delay in regulation finalization, most agree the earliest possible enforcement date remains July 1, 2020 based on the statute as written. With the Attorney General’s office only anticipating resources for a handful of CCPA enforcement actions per year, the most likely targets for enforcement actions remain companies evidencing “flagrant violations”.
A private right of action under CCPA, as opposed to enforcement through the Attorney General, is only available where personal information of a consumer was compromised under the data breach provisions of the CCPA, however, the retroactivity of this provision remains unclear. Both Barnes v. Hanna Andersson, LLC (filed February 3, 2020) and Fuentes v. Sunshine Behavioral Health Group, LLC (filed March 10, 2020) claim violations of CCPA data breach provisions. Both cases likely face an uphill battle for survival of the CCPA claims as the circumstances giving rise to the alleged breaches occurred prior to CCPA’s effective date. Burke v. Clearview AI, Inc. (filed on February 27, 2020) claims general violation of the CCPA on account of alleged ‘scraping’ and selling of biometric data without proper advance notice and consent. Enforcement of the notice and consumer request provisions of the CCPA lies within the purview of the Attorney General and not private citizens. Complainants in Clearview AI look to avoid this conundrum by casting violation of the CCPA as a violation of the California Unfair Competition Law (“UCL”). Unfortunately for the viability of the CCPA claims in Clearview AI, the CCPA already explicitly precludes interpreting the CCPA “to serve as a basis for a private right of action under any other law.”
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.