COVID-19 and The California Consumer Privacy Act (CCPA)
California Attorney General's Office Will Not Delay Enforcement Amidst Pandemic Concerns

By Aloke S. Chakravarty and Sarah S. Anand

The California Attorney General’s (AG) office has recently signaled that it will not delay enforcing the  California Consumer Privacy Act (CCPA), the state’s recently enacted data privacy regulations, amidst growing concerns about COVID-19 and the spread and impact of the pandemic. As of today, the CCPA’s enforcement will begin when the rules are finalized, or at the very latest by July 1, 2020. On March 17, a coalition of 35 businesses in the advertising sector sent a letter to AG Xavier Becerra with a request that the CCPA’s enforcement be delayed. The coalition explained that a temporary deferral of enforcement would help alleviate the pressure and stress that organizations are currently facing due to COVID-19.  On March 20, the coalition sent a revised letter to AG Becerra, as its numbers had increased to include 60 businesses.  

The AG’s office acknowledged concerns presented in the letter, but ultimately declined to delay the CCPA’s enforcement.  Specifically, an advisor to AG Becerra said that their office is “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first.”  The advisor further explained that the AG’s office is “mindful of the new reality created by COVID-19 and the heightened value of protecting consumers' privacy online that comes with it [and] encourages businesses to be particularly mindful of data security in this time of emergency.”

As businesses increasingly move to remote work setups and virtual collaboration due to COVID-19 and social distancing practices, evaluating and implementing data privacy measures may become that much more important.  The California AG’s position on enforcement signals the importance of establishing those telework relationships responsibly, and ensuring that data protection hygiene is improved during the COVID-19 crisis rather than relegated to a lower priority. In light of increasing cyberattacks during the pandemic, social engineering and fraud and the added cybersecurity risks that flow from more people working remotely, protecting personal information and other sensitive data may be an investment against multiple hazards. The California AG has clarified that the risks of investigation and fines under the CCPA are among them.