Final CCPA Regulations Filed by California AG

Cybersecurity & Data Privacy

The California Attorney General (“AG”) has submitted the final proposed regulations under the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”). It remains unclear when the regulations will be effective and when enforcement will begin, though the AG has requested expedited review, so it is still possible that enforcement will start as early as July 1, 2020.

The California AG submitted the final text of the CCPA regulations on June 1, 2020, to the California OAL for review. No material revisions were made to the regulations from the second revisions to the proposed regulations that were released by the AG in March 2020. It remains uncertain whether enforcement will still start on the July 1, 2020 effective date set forth in the CCPA.

The typical 30-day review and approval period was recently extended to 90 days by Gov. Gavin Newsom’s Governor’s Executive Order N-40-20 related to the pandemic. However, businesses should not assume that the OAL will not approve the regulations. In a statement filed with the regulations, the AG has requested that the OAL complete an expedited review of the regulations within 30 days so that enforcement can begin on July 1, 2020. If the request is denied, the date on which the regulations will take effect will depend on when the final regulations are filed with the Secretary of State. The regulations will take effect on October 1, 2020, if the final regulations are filed on or before August 31, 2020. Otherwise, the regulations will not take effect until at least January 1, 2021.

The final text of the proposed regulations, along with the accompanying documents submitted to the OAL, can be found here. A selection of explanations behind some of the most notable changes made to the regulations throughout the various drafts is available in the AG’s Final Statement of Reasons. The explanations provide greater clarity for businesses finalizing their CCPA compliance efforts.

Whether enforcement begins on July 1 or October 1, 2020, businesses that fall within the scope of the CCPA should work now to make sure that they finalize their compliance efforts, as the law has been in effect since January 1, 2020. Blank Rome’s Cybersecurity & Data Privacy group stands ready to assist, including in preparing policies and procedures, implementing contracts with service providers, and training employees.

© 2020 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.