CCPA Regulations Finalized

Final CCPA regulations submitted, but it is not clear if they will be approved by 1 July as required by the statute. However, if a follow-on ballot initiative becomes law, these regulations could be moot or greatly changed.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Office of California Attorney General Xavier Becerra has submitted its finalized regulations to implement the “California Consumer Privacy Act” (CCPA) (AB 375) to the Office of Administrative Law (OAL), typically the last step in the regulatory process in California. The Office of the Attorney General (OAG) is requesting expedited review so the regulations may become effective on 1 July as required by the CCPA. However, the OAL has 30 days per California law to review regulations to ensure compliance with California’s Administrative Procedure Act (APA). However, under Executive Order N-40-20, issued in response to the COVID-19 pandemic, the OAL has been given an additional 60 days beyond the 30 statutory days to review regulations, so it is possible the CCPA regulations are not effective on 1 July. In fact, it could be three months before they are effective, meaning early September.

With respect to the substance, the final regulations are very similar to the third round of regulations circulated for comment in March, in part, in response to legislation passed and signed into law last fall that modified the CCPA. The OAG released other documents along with the finalized regulations:

• Final Statement of Reasons
• Appendix A. Summary and Response to Comments Submitted during 45-Day Period
• Appendix B. List of Commenters from 45-Day Period
• Appendix C. Summary and Response to Comments Submitted during 1st 15-Day Period
• Appendix D. List of Commenters from 1st 15-Day Period
• Appendix E. Summary and Response to Comments Submitted during 2nd 15-Day Period
• Appendix F. List of Commenters from 2nd 15-Day Period

For further reading on the third round of proposed CCPA regulations, see this issue of the Technology Policy Update, for the second round, see here, and for the first round, see here. Additionally, to read more on the legislation signed into law last fall, modifying the CCPA, see this issue.

Moreover, Californians for Consumer Privacy have submitted the “California Privacy Rights Act” (CPRA) for the November 2020 ballot. This follow on statute to the CCPA could again force the legislature into making a deal that would revamp privacy laws in California as happened when the CCPA was added to the ballot in 2018. It is also possible this statute remains on the ballot and is added to California’s laws. In either case, much of the CCPA and its regulations may be moot or in effect for only the few years it takes for a new privacy regulatory structure to be established as laid out in the CPRA. See here for more detail.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.