On August 14, 2020, California Attorney General Xavier Becerra (the "California AG") announced that the regulations implementing the California Consumer Privacy Act (the "Act" or the "CCPA") had been approved by the state's Office of Administrative Law ("OAL"), with the regulations going into effect immediately. While the CCPA itself has been in effect for some time, the regulations are what effectively provide businesses with a blueprint on how to be deemed CCPA compliant.
The long-awaited announcement comes more than 10 months after the initial implementing regulations were proposed on October 10, 2019, seven months after the CCPA first went into effect on January 1, 2020, and six weeks after the California AG's office began enforcing the CCPA on July 1, 2020. After three rounds of draft regulations and public comment over the past year, businesses can finally refine their CCPA compliance programs based on more definitive regulatory guidance from the California AG. Businesses should ensure familiarity with the regulations and their myriad technical requirements, since, as the California AG's recent flurry of enforcement makes clear – even minor infractions may not go unnoticed by the state as it embarks on its first season of CCPA enforcement.
The CCPA, as discussed in prior publications, is often compared to the comprehensive General Data Protection Regulation ("GDPR"), in that it applies extraterritorially and gives consumers both the right to know what type of consumer personal information businesses collect about them and the right to request that such data be deleted. But while the CCPA guarantees consumers protective rights, the Act's accompanying implementing regulations are what establish the specific procedures businesses must comply with in order to be CCPA compliant. Under the regulations, businesses must, among other things: