Home > Insights > Blogs > Cybersecurity Bits and Bytes > California Attorney General submits final CCPA regulations for review
California state capital building and California flag

California Attorney General submits final CCPA regulations for review

James Shreve Luke Sosnicki Elizabeth Casale June 4, 2020

Links

Contributors

Contributors

David Duffy

David Duffy

Milada Goturi

Milada Goturi

Matt Hafter

Matt Hafter

Mark Mattingly

Mark Mattingly

Jennifer Post

Jennifer Post

James Shreve

James Shreve

Luke Sosnicki

Luke Sosnicki

RELATED EVENTS

RELATED EVENTS

May 17
2023

The Value of Cyber and Privacy Diligence
March 28
2023

Safeguarding the Data and Your Compliance Program – USED and GLBA
December 14
2022

Countdown to CPRA
November 15
2022

DOJ Cyber Fraud Initiative - Cyber Faces the FCA Hammer

On June 1, California Attorney General Xavier Becerra submitted final CCPA regulations for review by the Office of Administrative Law (OAL). The final regulations, available here, are substantively the same as the second modified regulations that the AG released back in March (which we wrote about here).

While the regulations themselves have not changed from the last draft, the timing of the release creates new questions for covered entities. For example, it is unclear when the regulations will take effect. Under normal review procedures, regulations submitted after May 31 would take effect on October 1. But the AG requested the OAL’s expedited review, which means the regulations could take effect on July 1, when enforcement is scheduled to begin. And if the OAL does not complete its review this month, a situation may arise where enforcement begins before the final regulations are in effect.

The final regulations were also submitted while the California Privacy Rights Act (“CPRA” or, as some have called it, “CCPA 2.0”) remains slated to appear on this fall’s ballot. The CPRA, which we wrote about here, would significantly alter businesses’ obligations, would require a re-write of the regulations and remains the elephant in the room.

Finally, because the final regulations do not address key points that various industry groups asked the AG to address (for example, more specifically defining what is a “sale” of personal information), the AG’s haste to submit the regulations might necessitate clarifying amendments in the future. This could add uncertainty to what has already been a year-long moving target for entities attempting to comply.

Now that the final regulations have been submitted, and enforcement will most likely begin in less than a month, covered companies that are not yet in compliance should take immediate steps to review their operations and ensure they comply.

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.