June 30, 2020

CCPA Enforcement Begins July 1, 2020

For those unaware, CCPA officially went into effect on January 1, 2020, but its enforcement was delayed for 6 months. This effectively meant that companies had an additional 6 months to achieve compliance. For those companies waiting until the last minute, your time is almost over.

Though some have argued that the enforcement date should be pushed back due to uncertainty caused by COVID-19 (and the AG’s late submission of the final regulations), the AG has refused to delay enforcement. While the final regulations still need to be approved by the California Office of Administrative Law, the AG has requested expedited review and announced that he intends to enforce the CCPA before final regulation approval, if necessary.

Enforcement of CCPA will begin with the issuance of notices to violators, after which they will have a 30-day period to cure their violations. After the 30-day cure period, the AG may seek penalties of up to $2,500 per violation, or up to $7,500 per intentional violation, subject to his discretion. Note that because the definition of “violation” under CCPA is unclear, early enforcement may result in each individual consumer claim being classified as a violation.

Please note that this enforcement may immediately affect your business if you have any presence in California (a website targeting California consumers is sufficient but not required), and you meet any of the following thresholds:

  • Have annual gross revenues of $25 million;
  • Annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
  • Derive 50 percent or more of your annual revenue from selling consumers’ personal information.

For more information on CCPA or other data privacy matters, please contact a Kerr Russell attorney.

Nezar Habhab headshotNezar G. Habhab has a broad transactional practice handling matters related to leasing and purchasing, mergers and acquisitions, entity formation, commercial contracts, as well as data privacy. He works as part of firm’s Data Privacy and Cybersecurity team to draft and review company policies, facilitate cross-border data transfer arrangements, and counsel clients on the risks associated with the control and processing of data around the globe. Additionally, Nezar is experienced in drafting and negotiating a variety of artist, influencer, branding, and licensing agreements in the experiential and marketing space for both SAG-AFTRA and non-SAG talent.



Other posts to consider: