With the California Consumer Privacy Act in full force and effect, businesses in California and across the country are starting to wonder if the time to pass a national standard is now. However, with the 2020 election looming and little action from Washington, such a bill is unlikely to relieve California businesses in the near or even medium term future.

With required symptom checks and potential outbreaks among employees and customers, the Coronavirus has raised new questions regarding privacy for businesses across California.

Although the California Attorney General has only had the authority to enforce the California Consumer Privacy Act (CCPA) since July 1, 2020, it could be overhauled by a new privacy law that qualified for the 2020 November ballot in California.

Last month the California Attorney General announced that the Office of Administrative Law has approved the final California Consumer Privacy Act (CCPA) regulations. The final draft, submitted to OALL in late June of this year, is substantially the same as the final version, with minor tweaks that impact brick-and-mortar retailers. If your business has been waiting until final regulations to comply with the law, now is the time.

In December of 2019, a Florida car dealership was hit by a ransomware attack. This sophisticated style of data security attack breaks into a network and locks access to email, databases, and other essential files and programs. The hackers typically then demand a large payment in the form of an untraceable financial instrument. In this case the hackers demanded 65 Bitcoins, roughly equivalent to $600,000, to restore access to the dealership’s systems.

On February 10, 2020, the California Attorney General issued an amended version of its proposed California Consumer Privacy Act (CCPA) regulations in a redlined format. Overall the redlined regulations are generally favorable to businesses operating in California in that they clarify requirements without imposing significant new requirements. Here are changes that are particularly notable.

The California Department of Consumer Affairs (DCA), which includes the Bureau of Automotive Repair (BAR), is reporting that its licensees are being targeted in attempted fraud schemes and is urging awareness and caution. This is an important message for all staff members, but also a good opportunity to remind them that any communication with a licensing agency such as BAR or the Department of Motor Vehicles should be treated seriously. Following good fraud prevention habits will also help prevent important notices such as requests for information from falling in the cracks and leading to license enforcement.

The California Consumer Privacy Act includes multiple references to the idea of a “business purpose” for the use of consumer Personal Information (“PI”). For businesses covered by the CCPA, it is crucial to understand what “business purpose” means generally, what information uses of the business it specifically includes, and what obligations it triggers. In short, this type of information use must be disclosed to consumers, but also is generally shielded from deletion requirements and receives other potential protections.

In his first blog post of 2020, Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, described how the agency has improved its orders in data security cases. He cited seven cases as examples, each one addressing allegations of unauthorized access to consumer’s personal information.

Many automotive vendors rely on accessing automotive dealers’ customer data to provide services as varied as lead generation, vehicle tracking, and customer service. Under the CCPA, dealers may be held liable if any vendor misuses customer data or experiences a data breach. Each vendor that uses your customer data therefore has the potential to steeply increase your potential liability, particularly in light of the fact that you cannot directly control the vendor’s data use or data security practices.