COVID-19 and the California Consumer Privacy Act (CCPA)
Way before the Coronavirus pandemic, businesses have been preparing for the impact of California Consumer Privacy Act (CCPA) enforcement. Now, they are faced with balancing coronavirus related business disruptions and ensuring compliance with the CCPA’s consumer request requirements in a timely manner. Courts are already starting to see private class actions brought under the CCPA even though there is still uncertainty around how to comply and interpret the law. In our current market, there are now new legal and compliance considerations around the CCPA that require particular attention.
Some examples include:
- Zoom. This communication platform quickly rose to the top of everyone’s list at the start of the quarantine, being used for everything from business meetings to group fitness classes to remote education. In mid-March, Vice revealed Zoom’s privacy gaps and how customer information was allegedly being leaked and shared with Facebook. This resulted in a class action suit being filed in California on March 31.
- Collection of physiological data of customers and travelers at grocery stores, airports, and perhaps restaurants and offices down the line. This includes body temperature and any tests conducted for antibodies.
- Location data picked up from smartphones to manage the response to COVID-19 and how effective social distancing and quarantine really is. There is a risk that temporary infringement on privacy by the government may become a permanent situation post-coronavirus pandemic.
- Remote working and collection of customer data. With the majority of companies working remotely and interacting with their customers online, how are those companies going about ensuring that customer information stays confidential and is properly collected and stored?
The CCPA law did not go into effect until January 1, 2020 and the California Attorney General was not to begin enforcing the law until at least July 1, 2020. With the COVID-19 pandemic, over 60 joint trade associations and industry groups have urged the Attorney General to delay the enforcement of the law due to the effect the pandemic is having across various industries. Despite the pleas, an advisor to Attorney General Becerra made a statement confirming that the AG’s Office will move forward with the enforcement of the CCPA starting July 1.
“Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” … “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
What this means – companies should not expect any slack from class action lawsuits or the enforcement of every requirement stated in the CCPA come July.
CCPA Issues Once Out of Quarantine
Once there is any semblance of normal life, it is likely that social distancing will still be an important component of day-to-day business. With that, there may be an increase in screening and collecting health information on individuals to track body temperature, other testing results, location information for personal movement, etc. What about all the notices to those individuals? What about the consent? Is there a way to opt-out?
For example, if this information gathering continues at a supermarket, the supermarket will need to build an entire privacy framework. This would include notices to the consumer, dealing with and providing verifiable customer requests, identifying a way to store all of the collected personal information, documenting who the collected data is being sent to and for what purpose, etc.
Going back to one of the concerns mentioned earlier around remote workers and the protection of collected personal information, there is an increase in data breaches, susceptibility to hackers, and simple misuse of the personal information collected. Because of the sudden onset of the pandemic and need to quickly make technology accommodations for remote access work, companies are deploying technology and platform solutions that may not have been properly vetted from an information security perspective. Companies may not be taking the time to consider all of the potential privacy and compliance risks associated with these new access platforms.
These concerns will continue to crop up over the coming months in line with the Attorney General’s decision to move forward with the enforcement of the CCPA starting July 1. Businesses need to continue to be on high alert when implementing new methods of mitigating the impact of the coronavirus pandemic and fighting to keep things ‘business as usual’, all to avoid any enforcement actions.