CCPA set to move forward

CCPA set to Move Forward as Scheduled Despite COVID-19 Challenges.

California Consumer Privacy Act (CCPA) is set to move forward, as scheduled on July 1, 2020, despite the challenges presented by the COVID-19 pandemic.


As various states and countries implement lock downs and stay at home orders in effort to deal with the coronavirus pandemic, many events, initiatives and processes are being cancelled, or at best delayed. Many businesses and other organizations have resorted to shutting down, or digitising their operations to cope with the uncertain times. However, for California Attorney General Xavier Becerra, there is no intention to delay the implementation of California Consumer Privacy Act, which is expected to be enforced on or before July 1, 2020. Despite pushback from a coalition, who is asking for this initiative to be postponed, as businesses and organisations focus on dealing with challenges presented by COVID-19, Becerra seems, so far, unmoved. 


The California Attorney General plans to proceed with implementation of the law despite pushback.


An advisor for the California Attorney General affirmed that they are committed to enforcing the law upon finalizing the rules or July 1, whichever comes first, and stated “”We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” The coalition, which is now comprised of 60 groups, stated “A temporary deferral in enforcement of the CCPA would relieve many pressures and stressors placed on organizations due to COVID-19 and would better enable business leaders to make responsible decisions that prioritize the needs and health of their workforce over other matters.”


The Civil Code allows for an enforcement of the CCPA on July 1, but not prior to that.


According to one of the groups which is part of the coalition “The law, Civil Code Section 1798.85(c), states that ‘The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.’ So that means July 1, period.”

CCPA was approved on September 2018

Initial Proposed Regulations were first published on October 11, 2019 and two sets of modifications, on February 10, 2020 and March 11 2020, have been released since then.

According to Cristina Contero Almagro, Aphaia’s Partner, “one should note that CCPA was approved on September 2018, commencing on January 1, 2020, subject to the publication of the final regulations. This means that businesses have had more than a year so far to adapt their processes to the main requirements of the CCPA”.


Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and CCPA consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

legaledge GDPR DPO

DPO-legal counsel collaboration is essential. So we recommend LegalEdge

DPO-legal counsel collaboration is essential. That is why the Aphaia DPO team is always happy to work with in-house counsel from LegalEdge, whose COO Helen Goldberg and CEO Donna Sewell use this blog post to ask: ‘Are you spending too much (or too little!) on your legals?’ 

legaledge GDPR DPO

Part of scaling-up and growing your business means increasing your ops team to get better processes in place that help increase revenue, whilst managing and protecting assets and risk. But many companies still either over-pay or wing-it when it comes to one function: legal. They either:

  1. use the corporate lawyer who did a great job on their last funding round but doesn’t know how to prioritise and manage work for fast-growth companies with limited budgets, OR
  2. buy templates, fill in the blanks, and hope it doesn’t go wrong, as the team juggle legal with their day job.

Legal is often low on the to-do list. Until something bad happens. Contracts with customers and partners get stuck. An ex-employee causes problems. A customer stops paying. At that stage it’s too late, so an expensive specialist is parachuted in to try to fix the problem.

Do you get an ROI from that? Undoubtedly not.

So, what’s the alternative?  How do you avoid wasting management time and money dealing with crises?  How do you get legal to grow up with the rest of the business and provide an ROI?

  1. Think differently. Good legal support should be part of your ops team, not treated as an expensive afterthought.  Get the right resource in place that’s proactive, not reactive, and knows your type of business. And set the tone from the top that legal is important and valued. Having someone who’s worked in a business like yours is critical.  They can help work out what to worry about and what’s not important. And what to spend. As well as what tech can help. It’s a practical commercial approach that needs the right skill set.
  2. Have a strategy and budget for legal. That will help drive revenues and protect and make the most of your assets (whilst minimising nasty surprises). It will also help prepare for big milestones, like attracting investment, going into new markets, offering new products and services. As with anything, if you get the right resources (people and tech) in place they will do this for you AND manage the budget.
  3. Look at processes.The right processes should make it easier for you to do business. If contracts aren’t closed out quickly and effectively your sales cycle slows and revenue growth stops. And bad / unprofitable deals cost money and management time. Do your team know what they can negotiate, and what they should escalate?  Do they know what’s got to be delivered under key contracts? Who’s responsible for what and what the risks are if not? A good in-house lawyer will get the right processes in place for all of this.

LegalEdge has innovated and re-engineered the way lawyers work to ensure you get an ROI from legal services. We have a team of experienced in-house lawyers, all of whom have worked in businesses like yours, using tried and tested documents, processes and tech. Our innovative way of working also means you get the benefit of the associated cost savings, so we can make your legal budget stretch further. We’re more than a one-off out-sourced service, we’re an extension of your management team, providing a longer-term cost-effective, practical and business-focused service.

As experienced outsourced Data Protection Officers (DPO), Aphaia recommends our brilliant in-house counsel partners LegalEdge to complement our work.

rocheal philip bodybuilder GDPR privacy

Flex your online privacy muscle!

Bodybuilder Rocheal Philip helped Aphaia put together advice on how to show off online – without hurting your online privacy and personal data.

rocheal philip bodybuilder privacy

In Rocheal Philip ’s business, public online presence is indispensable. But so is drawing a line between public and private life, and not sharing the latter with everyone. Here are some tips:

What data do you share?

Rocheal’s fans can see her muscle and follow the competitions she attends but they would not know much about her whereabouts and the details of her family life. She draws a line what is important for them and what is not.

How do you share?

Some things can be shared with the public and all the fans. Others should be shared with friends only. Keeping separate social media profiles with different privacy settings is a good idea. “Everyone can follow my bodybuilding career on Instagram but my Facebook is for my friends only.”

Claim your online privacy!

Always be aware of what is visible to whom. Check your general privacy settings on your social media profiles, and privacy settings for each post, where applicable. Test those settings in practice. Be ready to ask your service providers questions about your data and about your rights.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

GDPR and social media

GDPR and social media : EU Court on fan pages on Facebook

Earlier this month the ECJ published a preliminary ruling finding the fan page admin jointly responsible with Facebook for the personal data of the visitors. Although the decision refers to the previously enforceable EU Data Protection Directive, the new rule paves the way for GDPR and social media practice, since the definition of the processor has not been altered.

GDPR and social media

The dispute had arisen in 2011 when the the data-protection authority of Schleswig-Holstein ordered an educational academy, under the name of Wirtschaftsakademie, to delete its facebook fan page because it failed to inform its users that personal data had been collected and processed via cookies. In particular,  Wirtschaftsakademie used the Insights tool provided by Facebook which provided demographic data of its audience following the processing of personal information such as age, sex, relationships, occupation, information on the lifestyles and centres of interests etc. Based on the anonymised demographic data the admin is able to customise its Facebook content targeting the relevant audience.

Wirtschaftsakademie argued before the German administrative courts that it was not responsible for the data collected by Facebook without its instructions. However, the ECJ after being asked by the national court decided that the fan page admin and facebook are jointly responsible as controllers of the personal data. The fact that the platform used to process the personal data was provided by Facebook cannot justify an exemption of the joint liability.

Nonetheless, in this dispute with crucial GDPR and social media implications, the European Court clarified that the responsibility of the two controllers, who are involved in different stages of the process, may not be equal. Therefore the level of responsibility of each operator should be assessed after taking all relevant circumstances of the case into consideration.

Do you require assistance understanding GDPR and social media ? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.