Pandemic complicates already challenging privacy law enactment

A group of more than 60 trade organizations wrote a letter to California Attorney General Xavier Becerra to delay the enforcement deadline of the California Consumer Privacy Act from July 1 to Jan. 2 in response to the coronavirus' impact on businesses.

"So many systems and deadlines have been postponed in order to accommodate the governor's stay-at-home directives, and we think that CCPA implementation shouldn't be any different," said Civil Justice Association of California CEO Kyla Christofferson, one of the organizations that signed the letter. "If these challenging times necessitate postponing other system deadlines, like Real ID and taxes, then the same should hold true for implementing systems for a complex new law like CCPA."

Nonprofit advocacy group Consumer Reports Inc. has already protested the potential delay, saying it's important to enforce the CCPA during a time people are relying on online shopping.

Newmeyer Dillion LLP partner Heather H. Whitehead said that concern is reasonable but noted companies are supposed to be fully in compliance with CCPA regulations in three months, which she said is limited time to respond to regulations that have not yet been finalized.

"90 days is a very short timeframe to go through the steps, particularly if you haven't started the process," Whitehead said.

Cybersecurity attorneys say the most recent changes to the CCPA, released March 11, could be the final regulation revisions as the enforcement deadline approaches. Though the current timeline doesn't leave much room for businesses to adapt to the regulations, the March changes to the CCPA involved mostly minor adjustments, according to Morgan, Lewis & Bockius LLP partner W. Reece Hirsch, who heads the firm's cybersecurity practice.

"I think that there are ambiguities, but I think the picture is clear enough at this time that companies can begin to really commence CCPA compliance efforts in earnest if they haven't already," Hirsch said.

One change to note that came in the March 11 regulation text revision is the definition of personal information, Hirsch said. The text of a February draft revision elaborated on information that will not be considered personal data, with the most important example being IP addresses that cannot be linked to more sensitive information. In the March changes, that language was removed.

"That example was striking to begin with because it carved out what people understood about how the CCPA was going to work," said Orange County Rutan & Tucker partner Michael A. Hellbusch. "They removed that, and it kind of created this scenario where we're kind of back to square one on the questions we had about how to interpret the CCPA to begin with."

Manatt, Phelps & Phillips LLP partner Brandon Reilly said the removal brings attorneys and businesses "back to square one," even though the understanding has always been that the CCPA is a dynamic piece of legislation that could change at any moment.

"It's a challenge, especially for something as fundamental to the law as the definition of the very data that's being regulated," he said. "A lot of decisions flow from reasonable interpretations of those definitions."

Michael A. Gold, Jeffer Mangels Butler & Mitchell LLP partner and co-chair of the firm's cybersecurity group, said his approach to advising clients about how to comply with possibly vague regulations is to understand that while regulations may change, the spirit of the CCPA's privacy principles are static.

"The principle of transparency, of clarity, those are really good guides regardless of what the ultimate version of the regulations may say," Gold said. "If you're crafting a privacy policy for a client and a significant consumer-facing business and you're dealing with a law, the CCPA, that requires transparency and disclosures, that gets you a long way toward where you have to be in establishing a compliant privacy policy."

Another March draft change is the notice requirement in privacy policies. The February draft revisions removed language stating businesses must identify categories of sources they collect data from as well as explain why a user's personal information is being gathered or sold. The March changes put that language back in.

"It was a little mystifying why they removed it in the first place," Hirsch said. "I hate to speculate. It almost seems like it was an error to take out the first time because I can't imagine why they did it, really."

Hellbusch sees the change as the attorney general's office's effort to make the regulation manageable for businesses and fair to consumers while keeping with the language of the law.

"I think they're struggling to find a workable way to operationalize what the statute of the CCPA says and balancing that with what businesses are able to do with respect to how the data is gathered," Hellbusch said. "When they propose something, they obviously get a lot of comments some way and the other on what to do in a given scenario, and I think they're just trying to find balance with how to actually regulate what the law says and make it workable for businesses and consumers."

Reilly said businesses, especially larger ones and those dependent on data, need a lot of time to build their compliance with the law, and that time is shrinking as the July 1 enforcement date draws closer. Christofferson said with businesses asking for more time even before the coronavirus pandemic, it's crucial that the attorney general extend the enforcement deadline.

"Now that this pandemic has come about, that exacerbates the difficulty of complying," Christofferson said. "We've got workforces that are fragmented and remote right now. ... Trying to develop new and complicated business procedures to comply with CCPA right now is a nearly impossible task."