Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.


Publications Events

Approval of Final Regulations Under the California Consumer Privacy Act

Publisher: Day Pitney Cybersecurity, Health and Technology (C.H.A.T.) Newsletter
October 1, 2020

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, with enforcement beginning January 1, 2020. The CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete and the right to opt out of the sale of personal information that businesses collect, and it includes additional protections for minors. Any entity (even those outside California) that gathers certain personal information on individuals in California must comply with the CCPA requirements. Due to the breadth of the law and the detailed requirements, many companies have been awaiting the final regulations, which went into effect in August. The regulations establish procedures for compliance and exercise of rights as well as clarify important transparency and accountability mechanisms for businesses subject to the law. 

On August 14, 2020, the final CCPA regulations went into effect upon their approval by the Office of Administrative Law (OAL) and filing with the California secretary of state. All businesses subject to the CCPA must now comply with both the statute and the final regulations. A copy of the approved final regulations can be found here.

The proposed final regulations were submitted to the OAL by California Attorney General Becerra (the CAG) on June 1, 2020. The proposed regulations have gone through several revisions since the publication of the initial draft on October 11, 2019, the first modified regulations on February 10, 2020, and thereafter, the second modified regulations on March 27, 2020. The proposed final regulations were drafted by the CAG, taking into consideration public comments received during the formal rulemaking process.[1] In submitting the final text of the proposed regulations, the CAG made certain clarifications to the draft regulations. In particular:

  • The definition of "household" was modified in § 999.301(h) to require that all members be residents in order to be part of a household request. This clarifies that persons in the dwelling are only included in the household if they are California residents. Further, the definition of household requires a strong connection between persons who (1) reside at the same address, (2) share a common device or the same service provided by a business and (3) are identified by the business as sharing the same group account or unique identifier. These factors reduce the likelihood that a member of the household is just temporarily occupying a dwelling; he/she must reside at the same address.
  • The final regulations proposed by the CAG require that notices and privacy policy be reasonably accessible to consumers with disabilities. This change was in response to comments that the earlier provisions on accessibility to consumers with disabilities were beyond what may be reasonable in every circumstance, particularly for small and midsize businesses with fewer resources. For notices provided online, the business is required to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, which are incorporated by reference. In other contexts, the business must provide information on how a consumer with a disability may access the notice in an alternative format.[2]
  • A business that collects personal information through a mobile application may provide a link to the notice within the application, such as through the application's settings menu.[3]
  • A business need not treat an unverified request to delete as a request to opt out of sale.[4] Instead, if a business denies a consumer's request to delete and sells personal information and the consumer has not already requested to opt out, the business must ask the consumer if he/she would like to opt out of the sale of their information, and it must include the contents of or a link to the notice of the right to opt out.
  • "Authorized agent" under the final regulations means a natural person or a business entity registered with the secretary of state to conduct business in California that a consumer has authorized to act on his/her behalf subject to the requirements set forth in § 999.326.[5]

During the OAL's review process, certain additional revisions were made to the regulations proposed by the CAG. In addition to withdrawing the foregoing provisions for additional consideration, the OAG has made certain nonsubstantive changes[6] for accuracy, consistency and clarity.[7] In particular, the sections in the proposed regulations which (i) required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose,[8] (ii) required businesses substantially interacting with consumers offline to provide notice of right to opt out via an offline method,[9] (iii) established minimum standards for submitting requests to opt out to businesses[10] and (iv) provided businesses with the ability to deny certain requests from authorized agents[11] were withdrawn from OAL review for additional consideration by the CAG.[12]

If you have questions about whether the CCPA applies to you or what you need to do to comply, please contact a Day Pitney technology attorney.

Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.

[2] Sections 999.305(a)(2)(d), 999.306(a)(2)(d), 999.307(a)(2)(d), and 999.308(a)(2)(d) of the final regulations.

[3] Sections 999.305(a)(3)(b), 999.306(b)(1) and 999.308(b) of the final regulations.

[4] Section 999.313(d)(1) of the final regulations.

[5] Section 999.301(c) of the final regulations.

[6] Changes to the original text of a regulation are nonsubstantive if they clarify without materially altering the requirements, rights, responsibilities, conditions or prescriptions contained in the original text. Cal. Code Regs., tit. 2, § 40.

[7] Changes without regulatory effect include renumbering or relocating a provision; revising structure, syntax, grammar or punctuation; and, subject to certain conditions, making a provision consistent with the statute. Cal. Code Regs., tit. 2, §100.

[8] Section 999.305(a)(5) of the proposed final regulations.

[9] Section 999.306(b)(2) of the proposed final regulations.

[10] Section 999.315(c) of the proposed final regulations.

[11] Section 999.326(c) of the proposed final regulations.

Related Professionals
Parsippany, NJ
T: (973) 966 8138
Hartford, CT
New Haven, CT
T: (860) 275 0294
New York, NY
T: (212) 297 2477
Washington, DC
T: (202) 218 3904