Goodwin Insights June 10, 2020

California Attorney General Submits Final Proposed CCPA Regulations For Approval

On June 1, 2020, the California Attorney General (AG) submitted the much anticipated final proposed regulations (Final Regulations) implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL) for approval. The OAL has 30 working days, plus an additional 60 calendar days under a COVID-19 Executive Order, to review the Final Regulations and the accompanying Final Statement of Reasons for compliance with the California Administrative Procedure Act. Once approved, they will be filed with the Secretary of State and become enforceable.

The headline here is that the Final Regulations reflect the proposed regulations in an earlier draft (which we summarized when it was issued in March). Despite multiple drafts and hundreds of public comments, the Final Regulations ultimately did not resolve some persistent, key ambiguities in the CCPA. For example, they do not establish whether personal information disclosed for retargeting through cookies or other technologies or to ad tech partners constitutes a “sale,” leaving that question for the AG and the courts. On the other hand, the CCPA’s core principles and policy objectives have remained intact throughout the rulemaking process, serving as a guidepost for compliance efforts.

Nonetheless, as we previously explained, any clarity offered by the Final Regulations could be short-lived if the Consumer Privacy Rights Act ballot initiative passes in November.

Authors:
Karen L. Neuman
Alex J. Moyer
Eric DiIulio

Goodwin’s CCPA team, led by Privacy & Cybersecurity partner and privacy lead Karen Neuman, includes, Eric DiIulio, Alex Moyer, David Kantrowitz, Jackie Klosek, Allyson Maur, and William Stern.

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead in the Privacy & Cybersecurity practice.