CCPA Enforcement Without Regulations

UPDATE 6/2/20, Final Regulations Submitted: After the publication of the alert below, on June 1, 2020, the California Attorney General submitted final regulations for the CCPA to the California Office of Administrative Law and requested an expedited review. Most of the changes from the most recent version of the proposed regulations are non-substantive. However, one notable change is that the final regulations do not require a business to include assertions in its privacy policy as to whether it will sell personal information in the future.

It is currently unclear when these regulations will be enforceable. The OAL has 30 business days, plus an additional 60 calendar days under Executive Order N-40-20 issued due to the COVID-19 pandemic, to review the final regulations. However, the California Attorney General has asked that the OAL limit its review to 30 business days. Additionally, the Attorney General has requested that the final regulations become law immediately upon filing with the California Secretary of State following the OAL’s approval. If the OAL complies with the Attorney General’s requests, businesses may have limited notice before the final regulations become effective. As discussed below, it is important for businesses to continue their privacy compliance efforts.

The California Attorney General will begin enforcing the statutory provisions of the California Consumer Privacy Act of 2018 (the “CCPA”) on July 1, 2020. However, the regulations to be promulgated under the CCPA (and which are meant to provide much needed clarification of the statutory requirements of the CCPA) have yet to be finalized by the California Attorney General’s Office. As discussed in our prior alerts (found here and here), the Attorney General has released a few drafts of the proposed regulations, with the latest draft released on March 11, 2020. With fewer changes in each draft of the proposed regulations, commentators suspected that the Attorney General would finalize the regulations in time for their enforcement to coincide with the July 1, 2020 statutory enforcement date. However, prior to taking effect, the Attorney General must submit proposed regulations to the California Office of Administrative Law (the “OAL”) for review. In order for the proposed regulations to take effect on July 1, 2020, the Attorney General would have had to submit the proposed regulations to the OAL by May 31, 2020, which did not occur.

While the Attorney General may be able to file the regulations and request an expedited review from the OAL, with the current workload of the OAL, this may not be feasible. Generally, in California, regulations become effective on one of four quarterly dates based on when the final regulations are approved by OAL and then filed with the California Secretary of State: January 1 (when filed between September 1 and November 30), April 1 (when filed between December 1 and February 29), July 1 (when filed between March 1 and May 31), and October 1 (when filed between June 1 and August 31). Thus, because the Attorney General did not file the regulations by May 31, 2020, it is likely that the effective date of the CCPA regulations will be October 1, 2020 at the earliest.

Even though the regulations are not yet effective, businesses should not slow their privacy compliance efforts, because the Attorney General intends to begin to enforce the statutory provisions of the CCPA on July 1, 2020. Additionally, although not final or binding, the current draft of the proposed regulations may be used as a helpful tool in determining how to structure a CCPA compliance program. Businesses may also want to consider reviewing past interpretations and enforcement of other privacy laws for guidance on how to structure their CCPA compliance.

If you need assistance with your privacy compliance efforts or wish for more information on compliance with the CCPA and its regulations, please contact one of our Cybersecurity & Data Privacy attorneys.