Skip to content

Following much anticipation, the Office of the California Attorney General (OAG) moved one step closer to the California Consumer Privacy Act (CCPA)’s wide-ranging implementing regulations becoming enforceable by law by filing the final CCPA Regulations with the California Office of Administrative Law (OAL) on June 1.

The CCPA grants the OAG the authority to begin enforcing the law on July 1, 2020. Whereas the OAG can enforce the CCPA on that date, businesses have been awaiting confirmation of whether the CCPA Regulations will be finalized and enforceable starting July 1 as well.

The effective date of the Regulations stems from the date the OAL transmits the final rules to the Secretary of State for adoption. Thus, while the OAG requested an expedited review of the OAL, even if the OAL completes its review in less than 30 days, the effective date of the Regulations will be Oct. 1, 2020, unless OAL designates a different effective date.

On June 1, 2020, the OAG submitted to the OAL its rulemaking package that consisted of the following, among other items:

  • an Updated Informative Digest, describing legislative updates since the original filing of the Notice of Proposed Rulemaking Action on Oct. 11, 2019, including changes to the proposed regulations since the Notice of Proposed Rulemaking Action;
  • much of the record of materials received and released during the rulemaking process, including public comments and responses, public hearing transcripts, white papers, and more.

The OAG emphasized, per the Request for Expedited Review: “While the Attorney General is mindful of the challenges imposed by COVID-19 and Governor Newsom’s Executive Order N-40-20 granting additional time to finalize proposed regulations, the Attorney General respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations.”

With the request, the OAL has 30 working days, plus an additional 60 calendar days as established by the Executive Order referenced, to review the package for procedural compliance with the California Administrative Procedure Act. OAL’s review is limited to regulatory legal requirements. OAL has no power to change the proposed regulation and OAL does not accept public comments on or correspondence about proposed regulations. Once the OAL approves the package, the final regulations text will be filed with the Secretary of State.

Without an expedited review, and alteration of the normal effective date schedule, the regulations will not take effect until Oct. 1.

California Attorney General Xavier Becerra also noted in a press release, “Our regulations provide businesses and individuals with guidance on how to protect that choice and boost transparency, while continuing to unleash innovation. Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

Photo of Darren Abernethy Darren Abernethy

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy, data breach management, and FTC best practices.

Darren’s concentrations include the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and IP-related transactional matters.

Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact…

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.