Tech & Sourcing @ Morgan Lewis


The July 1 enforcement of the California Consumer Privacy Act (CCPA) is one week away. Despite calls by the business community and trade associations to push back the enforcement date to January 2021 due to the coronavirus (COVID-19) pandemic and related disruptions to compliance efforts, the California state attorney general issued a press release on June 2 stating, “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

Additionally, on June 1, the attorney general took action to finalize the CCPA regulations by submitting the final text of the proposed regulations to the California Office of Administrative Law, requesting expedited review in an attempt to have the regulations adopted and enforceable by July 1.

A recent Insight by our Morgan Lewis colleagues discusses the current CCPA landscape and provides these practical steps that companies can take before enforcement begins:

  • Amend your website privacy policy
  • Revise your website home page
  • Increase your data mapping efforts and form a compliance team
  • Create a mechanism to receive, verify, and respond to consumer requests
  • Conduct training, including remotely if necessary
  • Update document retention policies
  • Provide notices to employees, job applicants, contractors, officers, and directors

As our colleagues note, businesses should also amend third-party provider agreements to ensure that they limit the provider’s use of personal information as prescribed in the CCPA. Without a CCPA-compliant agreement, the disclosure of personal information to a third-party provider may constitute a sale of personal information that triggers the consumer’s opt-out right.

Check out the full Insight for additional details and discussion of the practical steps.