On June 2, 2020, the California Attorney General announced that it had submitted the final proposed regulations package for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The OAL now has 30 working days, plus an additional 60 calendar days under COVID-19-related Executive Order N-40-20, to review the package for compliance with California’s Administrative Procedure Act (APA). If approved by the OAL, the final regulations will then be filed with the California Secretary of State and become enforceable.
The submission of the CCPA final proposed regulations is the culmination of a rulemaking process that began with preliminary hearings in January 2019 and continued with three different drafts of the proposed regulations in October 2019, February 2020, and March 2020. In the midst of this process, participants had to contend with numerous substantive amendments made to the CCPA by the California legislature near the end of 2019.
For those who have been following along with this process and modifying their CCPA compliance practices as the proposed regulations have evolved, the good news is that the final proposed regulations have not changed from the third draft issued in March. For those hoping that the final draft would modify or remove some of the compliance obligations in the third draft that go beyond the requirements of the statute, the bad news is unfortunately the same, as the Attorney General dismissed all of the many comments filed during the last comment period requesting such modifications.
When the CCPA final proposed regulations will ultimately take effect, and whether the Attorney General satisfied the APA’s rulemaking requirements, is now in the hands of the OAL. Typically, California regulations become effective on a predetermined quarterly date based on the date they are filed with the Secretary of State. In this case, if the OAL completes its review and the CCPA regulations are filed with the Secretary of State by August 31, 2020, the regulations would normally take effect October 1, 2020.
Since the Attorney General plans to begin enforcement of the CCPA statute on July 1, 2020, the Attorney General filed a request for expedited review and that the regulations become effective upon filing with the Secretary of State as part of the final proposed regulations package. This request for expedited review faces some challenges, however, as the OAL currently has a backlog of 64 other rulemaking reviews and the rulemaking record for the CCPA regulations is quite voluminous. Additionally, there are provisions in the CCPA regulations that go beyond the requirements of the statute and will require legal analysis to examine whether the Attorney General has sufficient statutory authority to support those requirements.
In the end, the CCPA regulations could conceivably take effect anytime between July 1—October 1, 2020, with little to no notice to businesses ahead of time. Accordingly, and as the California Attorney General intends to begin enforcing the CCPA on July 1, 2020, businesses should implement or update their CCPA policies and procedures in accordance with the final proposed regulations as soon as possible.
For more information or advice concerning your CCPA compliance efforts, please contact Tracy Shapiro, Eddie Holman, Allison Bender, or another member of the firm’s privacy and cybersecurity practice.