On June 1, 2020, the Office of the California Attorney General (OAG) submitted the final proposed regulations (final regs) under the California Consumer Privacy Act (CCPA or the Title) to the California Office of Administrative Law (OAL). OAL now has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the regs for procedural compliance with the Administrative Procedure Act. Although we do not expect OAL to make any substantive changes to the regs, we are still one procedural step away from the regs being filed with the secretary of state by OAL and becoming enforceable by law. Noting the July 1, 2020, statutory mandate for the regulations, the OAG petitioned OAL for expedited review and submission to the secretary of state prior to that date and for effectiveness upon submission to the secretary. As we have previously explained, there is a legal basis for this approach. BakerHostetler and several industry groups filed comments with the OAG in mid-March, as the pandemic was breaking, asking for a continuation of delay in the enforcement of the CCPA until six months after the regs become final, in part to help companies focus on COVID-19. Those comments now have been rejected by the OAG, and enforcement of the CCPA will begin on July 1, 2020, regardless of when final regulations are promulgated, absent action by the governor or the Legislature. The final regulations remain unchanged from the third version published for comment in March. Businesses should complete their CCPA compliance work based on these proposed final regulations in advance of July 1.
The final regulations provide guidance on certain key requirements under the CCPA, including definitions (Article 1), notice requirements (Article 2), businesses’ obligations in handling consumer rights requests (Article 3), requirements for verification of consumers making requests (Article 4), special rules regarding minors (Article 5) and use cases for applying the CCPA’s non-discrimination mandate (Article 6). The regs also flesh out what service providers can and must do (Section 999.314), expand on training and record- keeping requirements (Section 999.317), and explain what businesses can and must do in response to a request putatively made by an agent acting on behalf of a consumer (Section 999.326). Notably absent are guidance on the design of a standard “do not sell” opt-out button, guidance on the meaning and scope of “sell,” and information about how to treat third-party cookies. An analysis of the regulations with practical takeaways is available here.