Since the California Consumer Privacy Act (CCPA) entered into force on January 1, 2020, many companies have been closely following the development of CCPA Regulations by the California Attorney General’s Office (AG’s Office). The AG’s Office released an initial draft of the CCPA Regulations in October 2019, prompting over 3,000 pages of public comment (read our summary of the key impacts of the October 2019 Regulations draft here). This initial draft was followed by a first round of modifications in February 2020 (read our summary of major business impacts here), as well as a second round of modifications in March 2020. Each round of modifications generated further public comment.
On June 2, 2020, California Attorney General Xavier Becerra announced that his office had finalized the CCPA Regulations and submitted them to California’s Office of Administrative Law (OAL) for review. The AG’s Office has thus published its finalized CCPA Regulations, a copy of which can be accessed here. The finalized Regulations appear to be mostly identical to the version of the Regulations published in March 2020, with the exception of formatting and clean-up changes, and the deletion of the phrase “or a typical consumer’s data” from § 999.337(a)(2).
So when will the finalized CCPA Regulations take effect? In normal circumstances, the CCPA Regulations would take effect on October 1, 2020 or January 1, 2021, depending on when OAL completes its review. However, here, a significantly earlier effective date is possible. California’s administrative procedure law permits an earlier effective date if the AG’s Office “makes a written request to [OAL] demonstrating good cause for an earlier effective date.” Cal. Gov’t Code § 11343.4(b). The AG’s Office appears to have done so here, submitting a “Written Justification for Earlier Effective Date and Request for Expedited Review” (available here) to OAL asking for the Regulations to take effect as soon as they are filed with California’s Secretary of State. If OAL grants the AG’s request, it is possible that the CCPA Regulations take effect on or before July 1.
Not many observers expected the AG’s Office to push for an expedited effective date in the middle of the COVID pandemic. The AG’s responses to recent public comments may provide insight. As the AG’s Office stated in response to public comments about implementing new compliance during the COVID pandemic, “[t]he [AG’s Office] has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.”
* * *
Alston & Bird is assisting organizations across industries with CCPA Regulations compliance on an expedited timeline that accounts for the potential of a July 1 effective date. For more information contact Jim Harvey, David Keating, Kim Peretti, Amy Mushahwar, Kathleen Benway, Karen Sanzaro, Maki DePalo, or Daniel Felz.
