On June 1, 2020, the California Attorney General (AG) submitted the much anticipated final proposed regulations (Final Regulations) implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL) for approval. The OAL has 30 working days, plus an additional 60 calendar days under a COVID-19 Executive Order, to review the Final Regulations and the accompanying Final Statement of Reasons for compliance with the California Administrative Procedure Act. Once approved, they will be filed with the Secretary of State and become enforceable.
The headline here is that the Final Regulations reflect the proposed regulations in an earlier draft (which we summarized when it was issued in March). Despite multiple drafts and hundreds of public comments, the Final Regulations ultimately did not resolve some persistent, key ambiguities in the CCPA. For example, they do not establish whether personal information disclosed for retargeting through cookies or other technologies or to ad tech partners constitutes a “sale,” leaving that question for the AG and the courts. On the other hand, the CCPA’s core principles and policy objectives have remained intact throughout the rulemaking process, serving as a guidepost for compliance efforts.
Nonetheless, as we previously explained, any clarity offered by the Final Regulations could be short-lived if the Consumer Privacy Rights Act ballot initiative passes in November.
To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead in the Privacy & Cybersecurity practice.