On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.

The wildcard here is COVID-19.  While the OAL normally has 30 working days to approve proposed regulations and file them with the Secretary of State, California Executive Order N-40-20 addressing COVID-19 provides the OAL an additional 60 calendar days to do so.  Should we still expect enforceable regulations by July 1 given the deadline in the CCPA?  Will the OAL take more time than that?  There is no way to know for sure, but at least businesses working to get in compliance now have a final set of regulations available to them.

The Supporting Reasons for the Various Revisions to the Regulations

The AG’s Final Statement of Reasons also is available, and provides useful explanations for some of the changes made to the Regulations throughout the various drafts.  For example, it explains that the AG added the provision stating that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information” (§ 999.305(d)) because it is simply not feasible to do so.  The AG apparently considered, but rejected, various means of providing notice—such as requiring the posting of an online privacy policy—because they would ultimately not provide meaningful notice.

Unfortunately, there is no explanation as to why the AG removed former § 999.302, which stated that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”  We suspect the change was not further explained because the edited language did not appear in the original set of draft Regulations.

Lastly, the Final Statement of Reasons announced that the AG deleted the proposed Do Not Sell My Personal Information button “in order to further develop and evaluate a uniform opt-out logo or button for use by all businesses to promote consumer awareness of how to easily opt-out of the sale of personal information.”  There is no telling when that model button might be released, or whether the public will have an opportunity to provide input.

Lest the purpose of many of the revisions remain unclear, the Final Statement of Reasons contains no fewer than seven references to revisions meant to prevent businesses from “evading” or “avoiding” their obligations under the CCPA.

It’s still not too late to get in compliance with the CCPA— and at least for now, the rules themselves are no longer shifting.