One More Year: Attorney General Issues Final Regulations as CA Legislature Delays Some Compliance Obligations

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Cybersecurity

Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them; the right to know what businesses do with that information; and, the right opt out of the sale of certain personal information if a business sells that personal information. In turn, qualifying businesses that do business in California must institute certain policies, practices, and methods that allow consumers to effectuate those rights.

CCPA Then and Now: The Road to a “Final” Version

The CCPA was signed into law on June 28, 2018, became operative on January 1, 2020, and called for the Attorney General to promulgate implementing regulations before July 1, 2020. Due in part because the Attorney General had nearly two years to promulgate implementing regulations, the scope of businesses’ obligations under the law has been in flux pending the finalization of the regulations.

Since the CCPA was first signed in law, it has undergone many changes, significantly affecting its impact. In September 2018, just two months after the CCPA was signed, the California Legislature passed amendments that significantly changed its scope and how it would be enforced. (Read more about those amendments here). The following year, on October 10, 2019, the California Legislature passed additional amendments that further changed the scope of the CCPA. (Read about those amendments here). Part of those amendments was a bill that, with respect to information used in Business to Business (“B2B”) transactions and employee information used for employment purposes, delayed businesses’ obligations to comply with most of the CCPA until January 1, 2021. Then, throughout late 2019 and early 2020, the Attorney General released iterations of proposed implementing regulations, for public comment. Those regulations became finalized on August 14, 2020. The final text of the regulations can be found here.

But Wait, There’s More!

Due to the uncertain scope of business obligations and additional strain caused by the COVID-19 pandemic, businesses and trade groups sought to delay the Attorney General’s enforcement of the Act. Although the Attorney General did not agree to delay enforcement, he stated that his office may “exercise prosecutorial discretion if warranted.”

The CA Legislature, however, was persuaded by the businesses and groups, at least in part, and delayed compliance requirements for certain provisions of the CCPA. On September 1, 2020, the CA Legislature passed a bill extending the delay of business obligations with respect to certain personal information used in B2B transactions and for certain employment purposes until January 1, 2022. Businesses will still need to comply with the CCPA’s notice-at-the-time-of-collection requirement and are still subject to the CCPA’s data breach provision, which gives consumers the statutory right to bring legal actions against businesses for certain data breaches. But, business can rest easier knowing that at least some of the burden of compliance is delayed for another year. The full text of that bill is available here.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Cybersecurity | Attorney Advertising

Written by:

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Cybersecurity on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.