CCPA final regulations submitted, including a hint of what is on the horizon in California
On June 1, 2020, the California Attorney General submitted the final text of the proposed regulations under the California Consumer Privacy Act (CCPA) to the state’s Office of Administrative Law (OAL) for approval. Upon submission, OAL would typically have 30 working days to review the submitted regulations to ensure compliance with the California Administrative Procedure Act. However, in light of COVID-19, California Governor Gavin Newsome enacted Executive Order N-40-20, which operates to give OAL an additional 60 calendar days to complete its review. Notwithstanding the executive order, the attorney general has requested that OAL complete its review within 30 working days – ostensibly to hit the statute’s July 1, 2020, enforcement date. As of this writing, the regulations are listed as “under review” on OAL’s webpage (along with dozens of other regulations).
These long-awaited final regulations follow months of public hearings and more than 1,000 public comments. For businesses that have devoted time and effort into early compliance efforts, the final regulations bear some good news: they are substantively identical to the Second Modified Regulations that were released in March of this year. For those that have opted to wait, the next few weeks may prove to be a heavy lift.
To that end, now is the time to develop an understanding of how CCPA impacts your business and identify the steps necessary to come into compliance. If your business is subject to the CCPA, your privacy policies will almost certainly require updating. If you operate a mobile app, its privacy policy will likely also need updating. Additionally, consider how your business collects, retains, uses and shares personal information. The CCPA contains a robust process to allow consumers to know, delete and opt out of certain business practices.
Come July 1, or shortly thereafter, the California attorney general may begin to pursue civil enforcement penalties under the CCPA for non-compliance. And, while the CCPA contains a “cure” period – a time in which the business may remedy a perceived wrong – such a period is limited to 30 days, and the penalties for not coming into compliance may be hefty and may accumulate quickly.
The California attorney general’s CCPA page contains the entire final proposed regulations package.