Monday, California Attorney General Xavier Becerra submitted of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA. This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.
Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft. In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, financial incentives, consumer opt-out rights, and the handling of requests to know and delete.
An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable. Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date.
While some of the aspects of compliance are not crystal clear, such as whether notices may be combined, we do have clarity regarding a majority of the compliance landscape for CCPA, including:
- a business’ obligations to provide notice of financial incentive;
- notice at collection on mobile devices, as well as notice requirements for data brokers, and employers;
- a two tiered notice and policy process for consumers, including language and accessibility requirements;
- the 4 necessary components required for any notice, also discussed in our last post;
- the requirement for CCPA training for appropriate employees; and
- the sunset provision for employee and contractor notice to collection.
The March 11th revisions’ removal of the “opt out” button held firm, as did the addition that a business may not sell personal information gathered prior to the consumer’s notice of the right to opt out, without affirmative consent of the consumer. Consequently, businesses can also be more confident in their implementation of processes for handling requests to know and delete, and should move forward with doing so.
In any event, businesses need to review their notice and data handling practices, as well as their vendor agreements to make sure that the CCPA requirements are addressed. While there are still some questions, at least now there are concrete actions businesses can take around compliance.