Last week, a coalition of over sixty trade associations and businesses representing almost every business sector authored a joint letter to the California Attorney General requesting that the Attorney General defer enforcement of the CCPA in light of the COVID-19 pandemic.  Although the CCPA has been in effect since January 1, 2020, the Attorney General is not set to commence enforcement actions under CCPA until July 1, 2020.  The basis for the request to defer enforcement of the CCPA centered on two grounds: (1) the significant challenges associated with implementing compliance with a new law when the majority of businesses are either closed or operating remotely and (2) the lack of final regulations providing critical guidance about interpreting the CCPA from the Attorney General.

The Attorney General’s office has signaled, however, in response to a request for comment by Forbes, that businesses subject to the CCPA should not expect any delays in enforcement.  “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first.” “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”  Under the CCPA, the Attorney General’s office may commence enforcement upon six months of the issuance of its final regulations or by July 1, 2020, whichever is sooner.  Because the Attorney General has not issued final regulations, it now means that the earliest that the Attorney General can commence enforcement actions is July 1.

Despite the challenges that all businesses are facing in light of COVID-19, it is essential that businesses continue to comply with the CCPA by (1) ensuring that their privacy policies and notices are CCPA compliant; (2) continuing to timely respond to consumer’s requests; and (3) ensuring that reasonable security measures are in place to prevent security breaches (especially now that many workers are accessing computer systems remotely).

For more information regarding this post, please contact Ashley R. Fickel.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.