California AG Finalizes CCPA Regulations as CPRA Looms

California AG Finalizes CCPA Regulations as CPRA Looms

Blog WilmerHale Privacy and Cybersecurity Law

On June 1st, the California Attorney General (“California AG”) submitted final regulations under the California Consumer Privacy Act (“CCPA”) to California’s Office of Administrative Law (“OAL”) for approval, along with an updated Statement of Reasons.

The Final Regulations are Identical to the Most Recent Version of the Regulations

Substantively, the final version of the regulations are identical to the Second Set of Modified Regulations that the California AG’s office released on March 11th, which we previously described and linked to here. Businesses that previously delayed their compliance efforts due to uncertainty in the substance and timing of the regulations now have a final version of the text to apply, as well as less than a month before enforcement actions could potentially begin.

The California AG’s Office is Hoping that OAL’s Review is Complete by July 1 But Plans to Begin CCPA Enforcement At that Date Regardless

The California AG’s submission yesterday included a request that OAL expedite review of the final CCPA regulations, so that the regulations will be effective by July 1st. (Ordinarily, regulations submitted for approval to the OAL in June of a given year become effective on October 1st). The California AG’s request for expedited review is based upon the CCPA’s statutory requirement that the California AG adopt initial regulations by July 1st.

The California AG indicated in a press release yesterday that his office is committed to enforcing the law as of July 1st, whether or not the OAL has completed its review by then.

The final regulations are submitted more than two months after the comment period for the Second Set of Modified Regulations ended and exactly one month before the CCPA authorizes the California AG to begin bringing enforcement actions under the law.

A number of interest groups submitted comment letters during the comment period after the Second Set of Modified Regulations were released asking the California AG to delay the implementation of the regulations so that businesses could have time to implement the new regulations. The California AG’s Office seems to have declined those requests.

What’s Next: CPRA?

As businesses take final steps to comply with the CCPA, with 27 days left until enforcement begins, the California Privacy Rights Act (“CPRA”)—the latest privacy law ballot initiative proposed by Alastair Mactaggart and his group, Californians for Consumer Privacy—looms as a likely ballot initiative in November. Last month, Californians for Consumer Privacy announced that it was submitting over 900,000 signatures to qualify the CPRA as a ballot initiative to be voted on by Californians this November. This number far exceeds the roughly 625,000 signatures needed for ballot certification. However, California election officials must still validate the signatures by June 25th in order for the CPRA to make the ballot this year. Should it make the cut, early polling conducted by Californians for Consumer Privacy indicates that it would overwhelmingly pass, which would mean that it would likely go into law on January 1, 2023.

The CPRA’s requirements would go beyond those of the CCPA in many respects by, for example, creating additional obligations for businesses that process “sensitive” personal information and providing consumers with additional rights, such as the right to correct inaccurate personal information. The CPRA would also create the “California Privacy Protection Agency,” which would be responsible for enforcing the law, displacing the California AG’s office in that role.