It looks like the California Attorney General’s implementing regulations for the California Consumer Privacy Act (“CCPA”) are, finally, final. On June 1, 2020, the California Attorney General submitted for publication the final proposed regulations.

The California Office of Administrative Law now has 30 working days, plus an additional 60 calendar days under an Executive Order issued in connection with the COVID-19 pandemic, to review and approve the regulations. This means the regulations may not take effect until October 1, 2020. The California Attorney General has requested expedited review in hopes that the regulations can be published by July 1, 2020.

Regardless of the regulations’ final effective date, the California Attorney General’s office has stated that the office remains committed to enforcing the CCPA beginning July 1, 2020. That is when the law becomes enforceable, whether or not the regulations have been published.

The final proposed regulations are unchanged from the second set of draft regulations that were released in March 2020. Our prior update describes the major provisions in the March draft.

At a high level, these regulations put “meat on the bones” of the somewhat sparse statutory text of CCPA. Companies covered by CCPA can look to the regulations for details on:

  • When and how a business must provide notices to consumers regarding the collection of their personal information, the right to opt out of the sale of their information, and the financial incentives or price or service differences the business offers in connection with the collection and use of personal information;
  • The form, content, posting and accessibility of a business’s privacy policy;
  • How to verify and respond to consumer requests to know, delete and/or opt out of the sale of their personal information;
  • Record-keeping, training staff and maintaining metrics on compliance with the CCPA; and
  • How to handle minors’ personal information.

It remains to be seen what the California Office of Administrative Law will do, and when, with the Attorney General’s June 1 release. Yet this seems a safe bet: the June 1 version of the regulations will likely become, at some point, the enforceable version. Companies that are mapping their compliance programs to CCPA therefore can look to the June 1 version with confidence as they do so.

To subscribe to the Data Blog, please click here.

Author

Jeffrey Cunard, managing partner of Debevoise's Washington, D.C. office, leads the firm’s corporate intellectual property, information technology and e-commerce practices. He has broad experience in transactions, including software and technology licenses, joint ventures, mergers and acquisitions, and outsourcing arrangements. Mr. Cunard’s practice also encompasses copyright litigation. He is an internationally recognized practitioner in the field of the Internet and cyberlaw, a member of the firm’s Data Strategy & Security practice, and advises in U.S. and international media and telecommunications law, including privatizations and regulatory advice. He can be reached at jpcunard@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and complex commercial litigation. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Lisa Zornberg is a Debevoise litigation partner based in the firm’s New York office. She is a member of the White Collar & Regulatory Defense Group, where her practice focuses on white collar defense, regulatory enforcement actions and internal investigations – including cyber investigations – for corporations and financial institutions, as well as complex civil litigation. She can be reached at lzornberg@debevoise.com.

Author

Jeremy C. Beutler is an associate in Debevoise's Litigation Department. He can be reached at jcbeutler@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

Alexandra P. Swain is a Debevoise litigation associate. Her practice focuses on intellectual property, data privacy, and cybersecurity issues. She can be reached at apswain@debevoise.com.