On October 10, 2019, the California Attorney General's office issued the much-anticipated proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The nearly 10,000-word Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. The Regulations go beyond clarifying ambiguities in the law and propose new requirements, many of which are not contained in the Act. Alongside the Regulations, the Attorney General published an Initial Statement of Reasons, which aim to provide the justifications for each requirement. Given the timing of their release, the Regulations do not incorporate any of the CCPA amendments approved by the California legislature in September, and signed by California Governor Gavin Newsom on October 11, 2019 (a day after the Regulations were issued). The Attorney General indicated, however, that the Regulations will be updated to reflect the amendments. The Regulations come at a time when businesses have fewer than three months left to prepare before the CCPA takes effect on January 1, 2020, though the Regulations themselves will not take effect or be enforced until July 1, 2020.
The biggest takeaways from the Regulations include:
For a more in-depth analysis of the main components of the Regulations, please see our Data Advisor article.
Next Steps
The Regulations are subject to a mandatory 45-day public comment period, during which the Attorney General's Office will hold four public hearings across California.
The Attorney General will accept comments on the Regulations at the hearings, by mail, or by email until December 6, 2019 at 5:00 p.m. We urge businesses affected by the Regulations to submit comments to the Attorney General and welcome any requests to assist with such submissions. WSGR will continue to monitor further CCPA developments. For more information or to submit a public comment please contact Chris Olsen, Eddie Holman, Mariam Abdel-Malek, Lydia Parnes, or another member of the firm's privacy and cybersecurity practice.