On August 14, 2020, California Attorney General Xavier Becerra announced the California Office of Administrative Law’s approval of the final California Consumer Privacy Act (CCPA) regulations, and filed them with the California Secretary of State. The AG’s office stated that the regulations are effective immediately.

The OAL made additional revisions to the March 11, 2020 regulations, summarized here, which itself comprised of revised regulations followed several rounds of public forums, hearings, and comment periods. At a high level, the final texts’ noteworthy substantive revisions from the March submission (noted in the OAG’s Addendum to the Final Statement of Reasons) include the following:

  • Removed §999.305(a)(5), purpose limitation requirement that businesses obtain a consumer’s consent prior to using a consumer’s personal information for materially different purpose than was disclosed in the business’s notice at the point of collection.
  • Removed §999.306(b)(2), offline notice/opt-out requirement.
  • Removed §999.315(c), “easy to use / no dark patterns” requirement that a business’s methods for submitting request for opt-out require minimal steps.
  • Removed §999.326(c), requirement that a business may deny a request from an authorized agent if the agent does not have proof of consumer consent to act on their behalf.
  • Businesses must now use the full text “Do Not Sell My Personal Information,” rather than the shorthand “Do Not Sell My Info.”

Businesses should be prepared for immediate enforcement of these regulations. The text of the CCPA stated that enforcement would begin six months after approval of the regulations or on July 1, whichever was sooner. With that July 1 deadline already past, the AG’s office has made its expectations for compliance clear, even—or especially—during this time of the COVID-19 pandemic: “In California, privacy is an inalienable right. Californians should control who possesses their personal data and how it’s used. … These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”

The AG may also attempt to bring enforcement actions against entities for alleged CCPA violations that occurred after the law took effect but before the regulations were finalized. Immediate or retroactive enforcement could prove difficult for businesses still struggling with the meaning of provisions in both the regulations and the underlying statute. In addition, the new privacy initiative on the November ballot, causes further confusion about how to best prepare for California’s privacy enforcement.