Home > Insights > Blogs > Cybersecurity Bits and Bytes > Office of Administrative Law approves final CCPA regulations

Office of Administrative Law approves final CCPA regulations

On August 14, California Attorney General Xavier Becerra announced that the Office of Administrative Law (OAL) had approved the regulations for the California Consumer Privacy Act (CCPA) and filed the regulations with the California Secretary of State. The regulations take effect immediately.

The August 14 regulations were also accompanied by an Addendum to the Final Statement of Reasons. The Attorney General made “non-substantive” changes to the final regulations for “accuracy, consistency, and clarity.”

While the Attorney General described its changes as “non-substantive,” several notable provisions were withdrawn. These are:

  1. Section 999.305(a)(5), which required affirmative opt-in for a material change to how a business uses personal information.

  2. Section 999.306(b)(2), which required the provision of an offline notice of opt-out right where a business substantially interacts offline with a consumer.

  3. Section 999.315(c), which required that methods for opt-out be easy to execute.

  4. Section 999.326(c), which allowed a business to deny an authorized agent request if the agent did not submit proof of their authority to act for the consumer.

The Addendum to the Final Statement of Reasons allows for those four withdrawn provisions to be resubmitted by the Attorney General after further review and possible revision. Article 7 regarding severability was also “deleted as unnecessary.”

Enforcement of the CCPA began on July 1, 2020, and companies should be aware that the Attorney General has reportedly already begun to send out notices of non-compliance. With the final regulations now in place, companies have guidance on compliance with the CCPA. However, as the California Privacy Rights Act (CPRA) will now appear on California’s November 2020 ballot, it is possible that companies may be faced with entirely new requirements, some as early as next year.

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.