The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that may apply to businesses located in and outside of California. It was signed into law on June 28, 2018, went into effect on January 1, 2020, and became enforceable on July 1, 2020. The CCPA required the California State Attorney General to craft regulations that, among other things, operationalized the CCPA for businesses and provided guidance to consumers regarding their rights under the CCPA.1 The first CCPA regulations were approved by California’s Office of Administrative Law (OAL) on August 14, 2020. After four versions of proposed modifications and the incorporation of related feedback, on March 15, 2021, California’s Attorney General announced that the California OAL had approved additional regulations.2 The OAL’s approval of the amendments made these regulations law. Violations of the regulations are deemed violations of the CCPA. The revisions to the regulations went into effect upon approval on March 15, 2021. Just as these changes took effect, on March 17, 2021, California continued preparing for enforcement of the California Privacy Rights Act (CPRA), as California Governor Gavin Newsom announced the establishment and appointment of the inaugural five-member board for the California Privacy Protection Agency (CPPA). The CPPA was established by the CPRA and is a new administrative agency tasked with “protecting the fundamental privacy rights of consumers over their personal information.”3 The CPPA will take over rulemaking duties from the California Attorney General’s office and may bring administrative enforcement actions related to the CCPA, as well as the CPRA when it becomes effective in 2023.
In addition to the regulations set forth on August 14, 2020, the new regulations provide practical guidance for businesses’ compliance with the CCPA. The California Attorney General emphasized that the “newly-approved regulations ban so-called ‘dark patterns’ that delay or obscure the process for opting out of the sale of personal information.”4 In addition to providing clarity on opt-out requests, the regulations also address notice requirements for personal information and how businesses must handle consumer requests made by agents. The following are some of the new regulations:
These revisions went into effect on March 15, 2021. As with the original regulations, businesses found to be out of compliance with the CCPA will receive a ‘notice to cure’ that provides a 30-day window for such businesses to remedy their noncompliance. Violations of CCPA regulations are deemed violations of the CCPA and can result in regulatory penalties as articulated in the CCPA. Businesses can face a regulatory fine of up to $2,500 per violation or $7,500 for each “intentional” violation of the regulations, in addition to potential liability in civil actions. Since CCPA enforcement began on July 1, 2020, the California Department of Justice has noted widespread compliance by companies doing business in California, especially in response to notices to cure.
In light of these new regulations, businesses subject to the CCPA should review the mechanisms they have in place to facilitate consumer opt-out requests to ensure compliance. Additionally, where changes are required, businesses should recall the requirement under the CCPA that notice must be reasonably accessible to consumers with disabilities and ensure that any policy changes continue to provide such accommodations. Please note the CCPA regulation amendments consist of a very small portion of the overall CCPA regulations and do not address the CPRA, which will be effective in 2023.