Skip to main content

California AG Releases Long-Awaited CCPA Final Regulations

On June 1, 2020, California Attorney General Xavier Becerra submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The package includes the Final Text of Regulations and Final Statement of Reasonsfor the amendments to previous drafts. The regulations offer guidance to businesses on how to comply with the CCPA. Substantively, the regulations remain unchanged from the last draft submitted in March of this year.

There have been several iterations of the draft regulations. The initial Proposed Text of Regulations was released on October 10, 2019, and it clarified a number of issues raised by stakeholders after the CCPA was passed. The draft (which we previously discussed here) included detailed requirements related to notices to consumers, guidelines for privacy policies, procedures for handling consumer requests, directions on how businesses must obtain consent and verify that the person authorizing consent for a child under age 13 is a parent, opt-in requirements for tweens 13 to16 years old, and estimates on the costs of compliance. During the 45-day comment period, stakeholders submitted some 1,700 comments, leading to modifications to the regulations published on February 7, 2020. These changes included an exemption for data brokers, a new design for the opt-out button required for "sales" of personal information, and rules on how businesses should respond to consumer requests for information. The California Department of Justice issued a second set of modifications on March 11, 2020, which eliminated the opt-out button and clarified procedures for responding to consumer requests. Notably, in all three drafts, the most controversial provision, the private right of action for data breaches, was left untouched.

Despite pleas from the business community to delay enforcement of the CCPA due to the massive challenges of working in a remote environment because of the coronavirus pandemic, Attorney General Becerra stood firm in his insistence that enforcement would commence as scheduled. However, the late submission of the final draft regulations means that enforcement may not take place until the fall, since the regulations must first be approved by the OAL, which has 90 days to make its decision. AG Becerra did request expedited review by the OAL, and it is important to remember that the statute is in effect as of January 1, 2020. Businesses that must comply with the CCPA should also keep in mind that the statute includes a 12-month "look-back" requirement that allows consumers to request their records dating back one year from when a request is made.

While the CCPA regulations await the final legal steps for entry into force, the new ballot initiative to pass even more stringent privacy legislation in California is advancing. On May 4, 2020, the California Privacy Rights Act (CPRA), received the requisite number of signatures to proceed to November's ballot. If passed, the CPRA - often referred to as "CCPA 2.0" - would, among other things, triple the CCPA's fines for violating rules regarding selling children's personal information, restrict data retention of personal information, require "reasonable" data security practices to be implemented, and provide consumers with a new "right of correction" for any inaccuracies in their personal information. The CPRA would also make it harder for businesses to defend against the CCPA's private right of action for data breaches, as implementing and maintaining reasonable security procedures and practices after a breach would no longer be an adequate defense. In addition, the CPRA establishes a new state authority, the California Privacy Protection Agency, to enforce privacy rights in California.

Businesses have been preparing for compliance for many months and this potential temporary reprieve due to the delay in issuing final rules is going to be short-lived. Should the CPRA pass in November, however, the challenges for business will be even greater and the national landscape will be even more complicated.