Approval of Final Regulations Under the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, with enforcement beginning January 1, 2020. The CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete and the right to opt out of the sale of personal information that businesses collect, and it includes additional protections for minors. Any entity (even those outside California) that gathers certain personal information on individuals in California must comply with the CCPA requirements. Due to the breadth of the law and the detailed requirements, many companies have been awaiting the final regulations, which went into effect in August. The regulations establish procedures for compliance and exercise of rights as well as clarify important transparency and accountability mechanisms for businesses subject to the law. 

On August 14, 2020, the final CCPA regulations went into effect upon their approval by the Office of Administrative Law (OAL) and filing with the California secretary of state. All businesses subject to the CCPA must now comply with both the statute and the final regulations. A copy of the approved final regulations can be found here.

The proposed final regulations were submitted to the OAL by California Attorney General Becerra (the CAG) on June 1, 2020. The proposed regulations have gone through several revisions since the publication of the initial draft on October 11, 2019, the first modified regulations on February 10, 2020, and thereafter, the second modified regulations on March 27, 2020. The proposed final regulations were drafted by the CAG, taking into consideration public comments received during the formal rulemaking process.[1] In submitting the final text of the proposed regulations, the CAG made certain clarifications to the draft regulations. In particular:

• The definition of "household" was modified in § 999.301(h) to require that all members be residents in order to be part of a household request. This clarifies that persons in the dwelling are only included in the household if they are California residents. Further, the definition of household requires a strong connection between persons who (1) reside at the same address, (2) share a common device or the same service provided by a business and (3) are identified by the business as sharing the same group account or unique identifier. These factors reduce the likelihood that a member of the household is just temporarily occupying a dwelling; he/she must reside at the same address.

• The final regulations proposed by the CAG require that notices and privacy policy be reasonably accessible to consumers with disabilities. This change was in response to comments that the earlier provisions on accessibility to consumers with disabilities were beyond what may be reasonable in every circumstance, particularly for small and midsize businesses with fewer resources. For notices provided online, the business is required to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, which are incorporated by reference. In other contexts, the business must provide information on how a consumer with a disability may access the notice in an alternative format.[2]
• A business that collects personal information through a mobile application may provide a link to the notice within the application, such as through the application's settings menu.[3]
• A business need not treat an unverified request to delete as a request to opt out of sale.[4] Instead, if a business denies a consumer's request to delete and sells personal information and the consumer has not already requested to opt out, the business must ask the consumer if he/she would like to opt out of the sale of their information, and it must include the contents of or a link to the notice of the right to opt out.
• "Authorized agent" under the final regulations means a natural person or a business entity registered with the secretary of state to conduct business in California that a consumer has authorized to act on his/her behalf subject to the requirements set forth in § 999.326.[5]

During the OAL's review process, certain additional revisions were made to the regulations proposed by the CAG. In addition to withdrawing the foregoing provisions for additional consideration, the OAG has made certain nonsubstantive changes[6] for accuracy, consistency and clarity.[7] In particular, the sections in the proposed regulations which (i) required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose,[8] (ii) required businesses substantially interacting with consumers offline to provide notice of right to opt out via an offline method,[9] (iii) established minimum standards for submitting requests to opt out to businesses[10] and (iv) provided businesses with the ability to deny certain requests from authorized agents[11] were withdrawn from OAL review for additional consideration by the CAG.[12]