On August 14, 2020, California Attorney General (AG) Xavier Becerra announced that the Office of Administrative Law approved the AG’s proposed California Consumer Privacy Act (CCPA) regulations and filed them with the Secretary of State. The final CCPA regulations take effect immediately. This concludes a lengthy period of uncertainty for companies who have invested significant resources to understand their obligations under the statute which went into effect January 1, 2020, with the AG able to start enforcement as of July 1, 2020.  

As detailed in the Addendum to Final Statement of Reasons, the final regulations differ slightly from the version proposed by the AG in June. The AG withdrew certain provisions for additional consideration, such as the requirement that a business that substantially interacts with a consumer offline provide an offline method for providing the Notice of the Right to Opt-Out, while noting that the AG may resubmit these provisions after further review and possible revision. Other withdrawn provisions include: (1) the prohibition against using a consumer’s personal information for a materially different purpose than those included in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent; (2) the requirement that the methods provided to exercise the right to opt out of “sales” of personal information be “easy for consumers to execute” and “require minimal steps”; and (3) the provision that allowed a business to deny a request from an authorized agent that has not submitted proof, although a business can still deny an opt-out request if the agent cannot provide the consumer’s signed permission.

The remaining revisions to the final regulations are “non-substantive” changes for accuracy, consistency, and clarity. While many of these changes appear to be inconsequential grammatical tweaks, at least one may have substantive implications: the final regulations remove the option to use “Do Not Sell My Info” for the link by which the Notice of the Right to Opt-Out is available. This revision forces businesses using this language in their links to change it to the statutorily prescribed “Do Not Sell My Personal Information” language, and cautions all businesses on the importance of adhering to the statutory requirements.  

With the regulations now final, compliance will no longer be a “best guess” exercise but an ongoing obligation that will be impacted by enforcement activity, guidance, and changes to technology, business, and data practices. In the absence of an enforcement action, companies seeking guidance may consider looking to the AG’s resources, such as its comprehensive CCPA page, and statements, including its detailed responses to the public comments filed in the CCPA rulemaking process (available here, here, and here). It will also be important to keep an eye towards the future and monitor the outcome of the California Privacy Rights Act ballot initiative (dubbed “CCPA 2.0”), which, if passed in November, would have a significant impact on CCPA compliance.