Keypoint: The California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by year end. Although the exact contours of the regulations are yet to be determined, businesses subject to the CCPA will need to understand the regulations and integrate their requirements into their CCPA compliance efforts.

The final piece of the CCPA puzzle should be in place by year end. According to Bloomberg Law, the California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by the CCPA’s January 1, 2020, effective date. That report is in line with prior expectations that the AG’s office would publish draft regulations shortly after the California Governor’s October 13 deadline to sign the CCPA amendments that passed the legislature on September 13.

Although the CCPA becomes effective on January 1, 2020, the AG’s office cannot bring an enforcement action “until six months after the publication of final regulations . . . or July 1, 2020, whichever is sooner.” Therefore, it appears the AG’s office could potentially be poised to start enforcement actions prior to July 1, 2020.

The CCPA requires the AG’s office to publish regulations on seven topics:

  1. Additional categories of personal information;
  2. Updating the CCPA’s definition of unique identifiers;
  3. Establishing exceptions necessary to comply with state or federal law;
  4. Providing rules and procedures relating to consumer opt-out requests, including the development of a uniform opt-out logo/button;
  5. Establishing rules, procedures and practices for consumer notices, including financial incentive offerings;
  6. Developing rules and procedures relating to verifiable consumer requests, including verification of the consumer’s request; and
  7. Adjusting the monetary threshold in the CCPA’s definition of business to reflect any increase in the Consumer Price Index.

The CCPA requires that the AG’s office “solicit broad public participation” prior to issuing regulations. The CCPA also provides that the AG’s office may adopt additional regulations as necessary “to further the purposes of this title.” As part of the September 2019 amendments, the AG’s office is further authorized to “establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.”

As part of its rulemaking process, the AG’s office hosted public forums from January 8, 2019 to March 5, 2019. Transcripts of those public forums are available here. The AG’s office also received over 1,300 pages of written comments, which are available here and here.

Notably, the oral and written comments submitted to the AG’s office routinely addressed topics outside of the topics specifically set forth in the CCPA. Because the CCPA authorizes the AG’s office to issue regulations to “further the purposes” of the CCPA, it is possible that the AG could issue regulations on a wide-variety of subjects. However, this seems unlikely given that the legislature just finished an extensive and heavily lobbied amendment process.

The AG’s office previously published a pictorial guide to the rulemaking process, which is available here (at page 3). The guide indicates that there will be a minimum 45-day public comment period on the draft regulations.  If there are no changes or non-substantial and sufficiently related changes, the regulations will proceed to adoption. If there are substantial and sufficiently related changes, another 15-day comment period is triggered. If there are major changes, a new 45-day public comment period is triggered.

Whatever the exact contours of the regulations, this much is clear: Businesses subject to the CCPA will need to pay close attention to them and adapt their CCPA-compliance efforts to meet their requirements.

Finally, businesses should keep in mind that California residents can exercise their CCPA rights as of January 1, 2020, and the CCPA’s private right of action becomes effective as of that date. Consequently, businesses should not use the regulatory rulemaking process as an excuse not to drive CCPA compliance prior to the statute’s effective date.