There is no doubt that we are generating, processing, and transferring more data RIGHT NOW than we ever have before. It is almost certain that our data generation, processing and transmission is many, many times that today than it was this same time last week—not to mention last month—because of “work-around” efforts due to the novel coronavirus.
While companies compiling this data had a pretty good sense of who you were before, just think what they know about you now. Every minute you work, you are online. Every school lesson your child learns is transmitted online. Extracurricular activities are sent online – karate lessons; speech therapy lessons; dance lessons; music lessons; you name it. Food shopping—online. Other shopping for needed items—online. Prescription refill—online. You want to get together with friends and play a game? You set up a “Zoom” chat and play trivial pursuit over your iPhones. You’re bored? You browse online. You read about the news. You read about your hobbies. You read about your profession. You shop. You text with your friends.
Meanwhile, your home—filled with sensors about your everyday habits—went from recording you before and after work, and on weekends, to having you around 24/7. Your thermostat, your home security cameras, your refrigerator, your Alexa, your television, your doorbell, and the list goes on—they are all working overtime, compiling way more data today than they ever have before. And your Apple watch/Fitbit will tell you whether—in view of all of these changes—you are standing up, moving, and sleeping more or less than you did before all of these changes started taking place. Your phone is likely reporting that your “screentime” is up from prior weeks.
And yet, while the data companies are obtaining (and storing and processing) about you is increasing exponentially, at the same time, a question is being asked whether enforcement of the California Consumer Privacy Act (CCPA) should be delayed.
CCPA took effect on January 1, 2020. However, California’s attorney general was prohibited from bringing enforcement actions until July 1, 2020. As a result, a number of companies assumed some risk and delayed compliance measures, with the goal of complying by July 1 instead of January 1, 2020.
Now companies are asking California’s attorney general to delay enforcement of CCPA even longer because of the novel coronavirus, which causes the disease known as COVID-19. In a letter sent on Tuesday, March 17, 2020, the California Chamber of Commerce, United Parcel Service (UPS), the Internet Coalition, the Association of National Advertisers and 30 others requested that the CCPA enforcement deadline be pushed back to January 2, 2021.
On one hand, it makes total sense that enforcement should be delayed. Many companies have instituted work-from-home measures to limit community spread of the COVID-19 disease, and it would be difficult for these companies to come into compliance when there are no (or limited) on-site staff to build and test the new systems and processes that are implemented to comply with CCPA. Further, companies have a lot of other financial, business, and personnel issues to deal with right now.
On the other hand, would the delay of enforcement of CCPA signal that personal privacy, data protection, and cybersecurity issues are less important than everything else? Yes, companies have a lot of other financial, business and personnel issues to deal with, but they are likely also collecting personal information at the same time, and as long as they are collecting personal information, shouldn’t they also comply with the laws regarding that collection of personal information?
One potential solution is a “split the baby” approach. Perhaps there should be a grace period on enforcement of some parts of CCPA (particularly those that may be overly burdensome for companies to implement in the current situation) like data subject access requests, but no delay in enforcement of other parts of CCPA that are arguably more critical in this period of increased data (and increased “bad actors” trying to improperly access/use that data) such as the CCPA’s “reasonable security procedures” requirement.
At the end of the day, regardless of whether California’s attorney general decides to delay enforcement of CCPA, it is in every company’s best interest to ensure they are taking “reasonable security” measures. This includes things like ensuring personal information data is encrypted or redacted, ensuring your network is secure (such as, inter alia, two-factor (or better) authentication for end-users, anti-virus protection, and ensuring software is routinely updated and patched), ensuring your document retention policy is not overbroad, and ensuring good email security (including training employees to recognize email hoaxes).
This will protect your customers, your employees, and your company.
And if CCPA applies to you, you are legally obligated to take such “reasonable security” measures, as CCPA provides individuals with the right to obtain statutory damages of $100 to $750 per defined data breach if “reasonable security procedures” are not in place.