California Attorney General Issues Final CCPA Regulations


The regulations, providing businesses compliance guidance under the California Consumer Privacy Act, are now in effect.

8/17/2020 14:00

Final regulations under the California Consumer Privacy Act (CCPA) have been approved by the state’s Office of Administrative Law (OAL) and are now in effect, according to a news release from California Attorney General Xavier Becerra.

Becerra submitted proposed final regulations to the OAL on June 1, 2020, and asked for expedited review, ACA International previously reported. Enforcement of the CCPA started on July 1, 2020.

“With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy,” Becerra said in the news release. “These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”  

The OAL made additional revisions to the proposed regulations during its review process that provide clarity and consistency in the final language.

According to a blog post from Nick Whisler, partner with ACA International member company Mac Murray & Shuster LLP, the final regulations also include several substantive changes:

  • Removed all references to the “Do Not Sell My Info” link. This means businesses must revert to the “Do Not Sell My Personal Information” link contemplated by the statute.
  • Deleted the provision requiring businesses to obtain consumers’ explicit consent before using their personal information for purposes that are materially different than those disclosed when the business collected the information. Although this may provide additional flexibility, businesses must be mindful of other CCPA provisions and general consumer protection laws, which broadly prohibit deceptive acts and practices.
  • Deleted the provision requiring businesses to provide offline Do Not Sell notices in certain situations. Businesses must still provide point of collection notices; however, the regulations allow businesses to direct consumers to their online privacy policies to receive the disclosures.
  • Deleted the requirement for the Do Not Sell request mechanism to be “easy for consumers to execute and…require minimal steps.”
  • Deleted the provision allowing businesses to deny requests from authorized agents that do not submit proof that they have been authorized by the consumers to act on their behalf. This would be problematic if not for other CCPA provisions that limit authorized agent requests, including the ability to verify with the consumer that the agent has permission to act on his or her behalf.

The CCPA was signed into law on June 28, 2018, and was further amended through several bills on Sept. 23, 2018, and on Oct. 11, 2019. The law went into effect on Jan. 1, 2020.

As a refresher, key requirements of the CCPA include:

  • Businesses must disclose data collection and sharing practices to consumers;
  • Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
  • Consumers have a right to request what information is collected; and
  • Businesses are required to provide a privacy notice prior to collecting information from a consumer.

The regulations establish procedures for compliance and exercise of rights, as well as clarify important transparency and accountability mechanisms for businesses subject to the law, according to the attorney general’s news release.

Text of the CCPA and changes from the prior version of the proposed regulations can be viewed on the California attorney general’s website for the CCPA.

ACA is reviewing the final regulations and will provide any additional updates in ACA Daily.

Related Content from ACA International

California Issues More Modifications to CCPA Data Privacy Law

Mapping the California Consumer Privacy Act

CCPA Clarity in California

If you are interested in sharing articles and analysis on legal cases, industry laws and regulations or other relevant topics for possible publication with ACA International, email our Communications Department at [email protected].

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.