Keypoint: The California Attorney General’s office has not addressed whether businesses may delay responding to CCPA requests due to the Coronavirus pandemic; however, businesses can look to the CCPA’s 45-day extension for relief, at least with respect to responding to requests to know and delete.
To state the obvious, businesses subject to the California Consumer Privacy Act (CCPA) may have more urgent matters to handle these days than responding to CCPA consumer requests.
Yet, the California Attorney General’s office – the CCPA’s enforcement arm – has been silent on whether it will take into account these extenuating circumstances when exercising its enforcement authority come July 1. This may be due to the unique circumstance in which the Attorney General finds itself – i.e., stuck between the CCPA’s effective date and enforcement date.
Before the Coronavirus pandemic, the Attorney General publicly stated that CCPA enforcement actions can cover activities between January 1 and July 1 (see here and here). Whether or not that position is ultimately legal, it places businesses in a difficult situation when balancing Coronavirus-related business disruptions and responding to CCPA consumer requests in a timely manner.
By comparison, the United Kingdom’s Information Commissioner’s Office issued guidance in light of the crisis, explaining that it will take a pragmatic and reasonable approach to enforcement:
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
Despite the absence of similar guidance from the California Attorney General’s office, businesses subject to the CCPA are not without some measure of relief – at least when responding to requests to know and delete. Businesses must respond to requests to know and delete within 45-calendars days of receipt of the request. However, § 1798.130(a)(2) states that the “time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.”
The ability to take a 45-day extension also is provided for in § 999.313(b) of the proposed regulations, which state: “If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.”
Although the CCPA and draft regulations do not provide guidance on what qualifies as “necessary,” delays caused by Coronavirus-related business disruptions – if accurate – should certainly qualify.
Notwithstanding a business’s ability to exercise a 45-day extension, there are other CCPA-requirements that businesses must take into account.
First, the CCPA still requires businesses to confirm receipt of requests to know and delete within 10 business days of receipt. Such confirmation must provide further information on their response and verification process. If not already done, businesses should draft these 10-day response letters now.
Second, as discussed, businesses will need to provide notice of the extension prior to the expiration of the initial 45-calendar-day period. Again, this type of correspondence can be drafted now.
Third, if possible, businesses should timely initiate their verification process. Section 1798.130(a)(2) states that the failure to verify a request cannot be a basis for extending the initial 45-day response period. Further, § 999.313(b) of the proposed regulations states that if “the business cannot verify the consumer request within the 45-day time period, the business may deny the request.” Accordingly, if, for example, a consumer fails to respond with the necessary verification information, a business would have a basis for denying the request entirely.
Fourth, and importantly, businesses must keep in mind that requests to opt out are subject to a 15-business day compliance period, which cannot be extended. Pursuant to the most recent draft regulations, businesses that receive an opt-out request will have 15-business days to stop selling the consumer’s personal information. Further, if the business sells the consumer’s personal information during the time between receipt and processing of the request, it must notify the third parties to whom it sold the personal information that the consumer has exercised the right to opt out and direct those third parties not to further sell that consumer’s information.
Notably, the California Attorney General’s office has not stated whether it will delay either publication of the final regulations or the July 1 enforcement deadline as a result of Coronavirus. Advertising trade associations have asked for a delay in the July 1 enforcement deadline due to Coronavirus. In January, those organizations also asked for a delay due to the unfinished CCPA regulations. The Attorney General never responded to that request.