To state the obvious, businesses subject to the California Consumer Privacy Act may have more urgent matters to handle these days than responding to CCPA consumer requests.
Indeed, even before the coronavirus crisis, businesses were navigating how to respond to CCPA consumer requests—and comply with the CCPA in general—given that the California attorney general has yet to finalize the CCPA’s implementing regulations. With the CCPA’s July 1 enforcement deadline rapidly approaching, businesses were starting to question whether the implementation time frame was reasonable, especially when the attorney general’s office issued another round of modified regulations in March instead of final regulations.
To that end, on March 17, 2020, over 30 trade associations, companies, and organizations sent a letter to California Attorney General Xavier Becerra requesting that, in light of the coronavirus pandemic and unfinished status of the regulations, he “forebear from enforcing the CCPA until January 2, 2021 so businesses are able to build processes that are in line with the final regulations before they may be subject to enforcement actions for allegedly violating the law’s terms.”
On March 19, 2020, the attorney general’s office responded, stating that it does not have any current plans to delay enforcement. According to reports in Forbes, the Wall Street Journal and Corporate Counsel, an adviser to Becerra sent an email to reporters, stating “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first . . . . We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
The use of the phrase “right now” implies that the attorney general may change his mind as the crisis unfolds. However, the fact that the attorney general’s office stated that there is a “heightened value” to protecting consumers’ privacy during the crisis suggests that the attorney general may proceed with the July 1 enforcement deadline because of the crisis.
Before the coronavirus pandemic, the attorney general publicly stated that CCPA enforcement actions can cover activities between January 1 and July 1 (see here and here). Whether or not that position is ultimately legal, it places businesses in a difficult situation when balancing coronavirus-related business disruptions and responding to CCPA consumer requests in a timely manner.
U.K. Won’t Penalize During Pandemic
By comparison, the United Kingdom’s Information Commissioner’s Office issued guidance in light of the crisis, explaining that it will take a pragmatic and reasonable approach to enforcement:
“During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
Despite the absence of similar guidance from the California attorney general’s office, businesses subject to the CCPA are not without some measure of relief—at least when responding to requests to know and delete.
Coronavirus Delays Should Warrant 45-Day Extension ‘Reasonably Necessary’
Businesses must respond to requests to know and delete within 45-calendars days of receipt of the request. However, Section 1798.130(a)(2) states that the “time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.”
The ability to take a 45-day extension also is provided for in Section 999.313(b) of the proposed regulations, which state: “If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.”
Although the CCPA and draft regulations do not provide guidance on what qualifies as “necessary,” delays caused by coronavirus-related business disruptions—if accurate—should certainly qualify.
Notwithstanding a business’s ability to exercise a 45-day extension, there are other CCPA requirements that businesses must take into account.
First, the CCPA still requires businesses to confirm receipt of requests to know and delete within 10 business days of receipt. Such confirmation must provide further information on their response and verification process. If not already done, businesses should draft these 10-day response communications now.
Second, as discussed, businesses will need to provide notice of the extension prior to the expiration of the initial 45-calendar-day period. Again, this type of correspondence can be drafted now.
Third, if possible, businesses should timely initiate their verification process. Section 1798.130(a)(2) states that the failure to verify a request cannot be a basis for extending the initial 45-day response period. Further, § 999.313(b) of the proposed regulations states that if “the business cannot verify the consumer request within the 45-day time period, the business may deny the request.” Accordingly, if, for example, a consumer fails to respond with the necessary verification information, a business would have a basis for denying the request entirely.
Fourth, and importantly, businesses must keep in mind that requests to opt out are subject to a 15-business day compliance period, which cannot be extended. Pursuant to the most recent draft regulations, businesses that receive an opt-out request will have 15-business days to stop selling the consumer’s personal information.
Further, if the business sells the consumer’s personal information during the time between receipt and processing of the request, it must notify the third parties to whom it sold the personal information that the consumer has exercised the right to opt out and direct those third parties not to further sell that consumer’s information.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
David M. Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation, the CCPA, and state information security statutes.
Malia Rogers is an associate in Husch Blackwell LLP’s Denver office and advises clients of all sizes and across industries on data privacy and security compliance. She leverages her prior professional experience in digital marketing to develop and implement privacy programs compliant with emerging and differing privacy frameworks, including the European Union’s General Data Protection Regulation and the CCPA.