The California Consumer Privacy Act (CCPA) requires the California Attorney General (AG) to issue regulations to “further the purposes of the title” by July 1, 2020. As that date quickly approaches, various rumors have been circulating about the status of the final regulations and whether they will actually be issued by July 1, or at all. Some have speculated that due to the current state of affairs related to COVID-19, the AG’s office may not even issue final regulations and that the current draft will become the final version enforced by the AG on July 1. Others have contended that due to the administrative law requirements of California, the AG’s apparent inaction, and a backlog at the Office of Administrative Law (OAL), the final regulations will now inevitably be delayed until Oct.1.

Despite the conjecture, there are three possible ways in which the CCPA regulations might be adopted on or before July 1.

First, there is still time under the normal procedure to have the final regulations adopted and in effect by July 1.  The CCPA regulations will become effective by July 1 if the OAL files the CCPA regulations with the Secretary of State by Monday, June 1. The statutorily prescribed deadline for filing the regulations with the Secretary of State is actually May 31. (Gov. Code Section 11343.4(a)(3)).  However, since May 31 falls on a Sunday, California law extends the deadline to the next business day, which is Monday, June 1. Procedurally, the AG’s office submits the proposed regulation to the OAL. Although the OAL has up to 30 working days to approve and file the approved regulation with the Secretary of State (Gov. Code Section 11349.3(a)), the 30 working days are a maximum review period; there is no minimum review period mandated by the applicable statute (Gov. Code Section11349.3(a)). As a result, the AG’s office could submit final regulations to the OAL up to or on June 1, and the OAL could approve and file with the Secretary of State by the deadline. It is not clear whether the OAL would in fact review, approve, and file the regulation with the Secretary of State on an expedited basis.

In the event the OAL does not file the regulations with the Secretary of State by June 1, the statute provides two additional ways for the regulations to be adopted by July 1.

Specifically, Section 11343.4(b) states that the filing deadlines and effective dates (e.g., filing date of May 31, for an effective date of July 1) do not apply where “(1) the effective date is specifically provided by the statute pursuant to which the regulation was adopted, in which event it becomes effective on the day prescribed by the statute … or (3) the agency makes a written request to the office demonstrating good cause for an earlier effective date, in which case the office may prescribe an earlier date.” As to 11343.4(b)(1), the CCPA provides that “[o]n or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title.” See CA Civ. Code Section 1798.185(a). To the extent that this provision of the CCPA goes as far as “specifically [providing]” the effective date of the regulations, the AG’s office can argue that, regardless of the date the regulations are filed with the Secretary of State, July 1 is the effective date of the CCPA regulations.

Alternatively, under Section 11343.4(b)(3) of the Government Code, the AG could submit the final regulations late and then ask for the July 1 effective date based on “good cause” for earlier enforcement. It is not clear whether the AG has plans to assert this “good cause” argument if the statutory deadline (May 31, extended to June 1 per above) is missed, but it is a possibility under the statute that governs the regulatory process.

As a result, organizations should not yet assume that there will not be final regulations on July 1 as some have asserted. Companies should continue to plot a path toward compliance by July 1 because of the real possibility that the regulations could still be adopted. Moreover, to the extent that there are not final regulations by July 1, there is nothing that explicitly prevents enforcement on July 1 if the AG fails to have regulations adopted and the AG’s office has made statements to this effect. Though, it is unclear how enforcement actions, based on a statute and regulations that are not final could be upheld if challenged.

Photo of Gerald J. Ferguson Gerald J. Ferguson

Gerald Ferguson currently serves as the Intellectual Property, Technology and Media Group Coordinator for the firm’s New York office. Mr. Ferguson also serves as the national leader of the firm’s Privacy and Information Security group. He has worked with companies to create national…

Gerald Ferguson currently serves as the Intellectual Property, Technology and Media Group Coordinator for the firm’s New York office. Mr. Ferguson also serves as the national leader of the firm’s Privacy and Information Security group. He has worked with companies to create national and global privacy policies. He has extensive experience advising companies regarding compliance with state breach notification laws. Mr. Ferguson is able to advise clients regarding notification obligations quickly and efficiently using a state-by-state survey of the 47 jurisdictions with breach notification laws that is regularly updated by Baker Hostetler’s Privacy and Information Security group. As part of his proactive approach to an incident response, he works with forensic consultants to develop the substantive opinions necessary to support a determination that disclosure of a breach is not required when possible. If disclosure is required, he uses a team approach to carefully manage the process in a cost-effective and efficient manner that focuses on minimizing reputational harm.

Mr. Ferguson is Chairman of the Intellectual Property Committee of the New York State Bar Association, International Law and Practice Section.