On June 1, California Attorney General Xavier Becerra submitted final CCPA regulations for review by the Office of Administrative Law (OAL). The final regulations, available here, are substantively the same as the second modified regulations that the AG released back in March (which we wrote about here).
While the regulations themselves have not changed from the last draft, the timing of the release creates new questions for covered entities. For example, it is unclear when the regulations will take effect. Under normal review procedures, regulations submitted after May 31 would take effect on October 1. But the AG requested the OAL’s expedited review, which means the regulations could take effect on July 1, when enforcement is scheduled to begin. And if the OAL does not complete its review this month, a situation may arise where enforcement begins before the final regulations are in effect.
The final regulations were also submitted while the California Privacy Rights Act (“CPRA” or, as some have called it, “CCPA 2.0”) remains slated to appear on this fall’s ballot. The CPRA, which we wrote about here, would significantly alter businesses’ obligations, would require a re-write of the regulations and remains the elephant in the room.
Finally, because the final regulations do not address key points that various industry groups asked the AG to address (for example, more specifically defining what is a “sale” of personal information), the AG’s haste to submit the regulations might necessitate clarifying amendments in the future. This could add uncertainty to what has already been a year-long moving target for entities attempting to comply.
Now that the final regulations have been submitted, and enforcement will most likely begin in less than a month, covered companies that are not yet in compliance should take immediate steps to review their operations and ensure they comply.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.