Home > Insights > Blogs > Cybersecurity Bits and Bytes > Office of Administrative Law approves final CCPA regulations
trick-or-treat-for-california-employers-650x510

Office of Administrative Law approves final CCPA regulations

James Shreve Luke Sosnicki Elizabeth Casale August 18, 2020

Links

Contributors

Contributors

David Duffy

David Duffy

Milada Goturi

Milada Goturi

Matt Hafter

Matt Hafter

Mark Mattingly

Mark Mattingly

Jennifer Post

Jennifer Post

James Shreve

James Shreve

Luke Sosnicki

Luke Sosnicki

RELATED EVENTS

RELATED EVENTS

May 17
2023

The Value of Cyber and Privacy Diligence
March 28
2023

Safeguarding the Data and Your Compliance Program – USED and GLBA
December 14
2022

Countdown to CPRA
November 15
2022

DOJ Cyber Fraud Initiative - Cyber Faces the FCA Hammer

On August 14, California Attorney General Xavier Becerra announced that the Office of Administrative Law (OAL) had approved the regulations for the California Consumer Privacy Act (CCPA) and filed the regulations with the California Secretary of State. The regulations take effect immediately.

The August 14 regulations were also accompanied by an Addendum to the Final Statement of Reasons. The Attorney General made “non-substantive” changes to the final regulations for “accuracy, consistency, and clarity.”

While the Attorney General described its changes as “non-substantive,” several notable provisions were withdrawn. These are:

  1. Section 999.305(a)(5), which required affirmative opt-in for a material change to how a business uses personal information.

  2. Section 999.306(b)(2), which required the provision of an offline notice of opt-out right where a business substantially interacts offline with a consumer.

  3. Section 999.315(c), which required that methods for opt-out be easy to execute.

  4. Section 999.326(c), which allowed a business to deny an authorized agent request if the agent did not submit proof of their authority to act for the consumer.

The Addendum to the Final Statement of Reasons allows for those four withdrawn provisions to be resubmitted by the Attorney General after further review and possible revision. Article 7 regarding severability was also “deleted as unnecessary.”

Enforcement of the CCPA began on July 1, 2020, and companies should be aware that the Attorney General has reportedly already begun to send out notices of non-compliance. With the final regulations now in place, companies have guidance on compliance with the CCPA. However, as the California Privacy Rights Act (CPRA) will now appear on California’s November 2020 ballot, it is possible that companies may be faced with entirely new requirements, some as early as next year.

Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.