At least for brick-and-mortar retailers, CCPA enforcement needs to take a sick day

The California Consumer Privacy Act went into effect on Jan. 1, but by statute the state attorney general won't bring any enforcement action until July 1, or when the regulations are finalized, whichever is earlier.

With the regulatory process still ongoing, the July 1 deadline is on track to become a reality.

However, the cacophony of requests to indefinitely delay everything from Coachella to the tax filing deadline to the Summer Olympics included calls from businesses across the state urging the attorney general to delay enforcement of the state's new consumer privacy law. The business leaders argued that the coronavirus has further complicated companies' efforts to get up to speed with their still-evolving obligations.

The need for such a delay is particularly acute for the state's brick-and-mortar retailers. For many of them, this is one more burden as they shut their doors indefinitely and try to figure out how to stay solvent amid what is quickly becoming the most devastating pandemic of our lifetime.

The CCPA passed in 2018 and is widely considered the nation's most protective customer privacy law. The law gives customers new rights, including to ask many businesses what type of information they store about the customer, to delete the data stored, and to stop selling the customers' data. It also creates new legal liabilities in the case of a breach of customer data. Businesses must also provide customers notices of what types of information they collect and sell prior to any collection activity.

The attorney general released his first set of regulations implementing the law in November 2019. Since then, his office has released two new, amended versions, one in February and the most recent in early March. Each new set of regulations changes the legal requirements for compliance, meaning that businesses must adjust their compliance or account for the new rules while developing their compliance plans.

Newer Versions of Regulations Require In-Store Opportunities to Exercise CCPA Rights

The February amendments to the regulations pose particular challenges for brick-and-mortar retailers. The amended regulations specifically address in-store requests by consumers to exercise their data rights under the CCPA. The law states that businesses "shall consider" providing some type of in-store method to exercise these rights. Options described in the regulations include making a phone available where the consumer may call the company's phone number and offering an in-store form for consumers to inquire about how their information is used.

Many, if not most, retailers had not yet considered or developed an in-store method for consumers to exercise their CCPA rights by the time business across the state shutdown. And with the shutdown, most will find it hard to design and implement a consistent approach to offering data request options to consumers. Under normal circumstances, developing compliance programs requires a practical approach and feedback from those implementing the plan. Without active stores, brick-and-mortar retailers will struggle to design a program without the input and feedback from their customer-facing employees.

Education and Training Requirements Will Prove Difficult

Store shutdowns will also have a ripple effect with other areas of CCPA compliance. The attorney general's draft regulations require that businesses educate all staff responsible for answering questions about the businesses' CCPA policy about the requirements of the law and how customers may exercise their rights. This requirement will prove nearly impossible to meet while the vast majority of retailers are shuttered.

Implementation Problems Likely

Finally, with delays in finalizing in-store CCPA policies and an inability to train in-store staff, retailers are likely to encounter a number of implementation problems. Based on current projections, stores in California are likely to be opening up only a few months, perhaps only a couple of weeks, before the implementation deadline. Once stores are open they will likely also be under mandates to continue social distancing practices. These issues will complicate businesses' attempts to implement CCPA compliance, as practices in the store will likely deviate from normal and there will be competition for attention to compliance issues.

Potential Hope on the Horizon

A consortium of 33 tech industry associations, companies and other organizations sent a letter last week to the attorney general requesting that his office delay CCPA enforcement due to the COVID-19 outbreak and state-wide shelter in place order. This group is arguing that their efforts are currently focused on responding to the crisis, which will delay compliance. They ask that the enforcement deadline be moved until the beginning of 2021.

While the specific concerns of these groups will likely differ in some respects from those of brick-and-mortar retailers, the demanded relief will help brick-and-mortar retailers even more. COVID-19 poses a grave threat to health and safety; businesses that shut down to stem the spread should not face potentially crippling enforcement actions due to the unanticipated difficulty the current shutdown presents. 