Keypoint: The California Privacy Protection Agency’s issuance of significantly modified proposed regulations comes days in advance of four scheduled Board meetings where the proposed regulations will open to debate, modification, and potential adoption.

On Monday, September 17, 2022, the California Privacy Protection Agency (CPPA or Agency) issued modified proposed CPRA regulations as well as an explanation for the changes. The modified proposed regulations follow a 45-day written comment period on the initial proposed regulations that ended on August 23, 2022, and two public hearings that were held on August 24 and 25, 2022. Interested parties submitted over 1,000 pages of written comments during the written comment period.

The issuance of modified proposed regulations was expected based on comments made during the Agency’s prior Board meeting on September 23, 2022. The Agency initially issued the modified proposed regulations in connection with two days of Board meetings scheduled for October 21 and 22, 2022. Later in the day on September 17, the Agency announced that it will hold two more days of Board meetings on October 28 and 29, 2022.

At the meetings, the Board will discuss the proposed regulations, including possible adoption or modification of the text. To that end, the accompanying explanation document identifies twenty-eight (28) items that Agency staff recommend for discussion at the meetings.

In the below post, we first provide high-level takeaways from the modified proposed regulations. We then discuss some of the more notable changes. We do not attempt to summarize all of the changes.

On August 14, 2020, Attorney General Becerra announced that the California Office of Administrative Law (OAL) approved the final regulations related to the California Consumer Privacy Act (CCPA) an filed them with the Secretary of State. The regulations go into effect immediately.

The Attorney General’s office submitted the final proposed regulations to the OAL on June 1, 2020. As part of the final regulations package, the Attorney General requested an expedited review of 30 business days and that the regulations become effective upon filing with the Secretary of State. Although not satisfying the 30-day request, the OAL did complete its review in short order, particularly in light of two executive orders by California’s governor extending the OAL’s review period by an additional 120 days.

Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, as discussed below, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.

In addition, on November 13, members of Husch Blackwell’s privacy and cybersecurity practice group will present a webinar to discuss these tasks in greater detail.  For more information or to register, click here.

Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.

On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.

In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations.  Click here to register.

We previously posted that Alastair Mactaggart, one of the co-authors of the California Consumer Privacy Act (CCPA), intended to submit a new ballot initiative to strengthen the privacy rights that already exist in the CCPA. The full text of the ballot measure – which is entitled the California Consumer Privacy Rights and Enforcement Act of 2020 – is now available on the California Attorney General’s website.  There also is an annotated version of the initiative available here.

While Mactaggart’s press release identified a few of the proposed changes, our initial review of the initiative is that it would bring about a substantial rewrite of the CCPA.  While there is a lot to unpack in this initiative, here are our initial highlights:

Alastair Mactaggart, Founder & Chair of Californians for Consumer Privacy, announced that he intends to file a ballot initiative – the California Privacy Enforcement Act – to appear on the November 2020 ballot. According to his press release, the new law would:

  • Create new rights around the use and sale of sensitive personal information, such as

Keypoint: The California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by year end. Although the exact contours of the regulations are yet to be determined, businesses subject to the CCPA will need to understand the regulations and integrate their requirements into their CCPA compliance efforts.

The final piece of the CCPA puzzle should be in place by year end. According to Bloomberg Law, the California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by the CCPA’s January 1, 2020, effective date. That report is in line with prior expectations that the AG’s office would publish draft regulations shortly after the California Governor’s October 13 deadline to sign the CCPA amendments that passed the legislature on September 13.

Although the CCPA becomes effective on January 1, 2020, the AG’s office cannot bring an enforcement action “until six months after the publication of final regulations . . . or July 1, 2020, whichever is sooner.” Therefore, it appears the AG’s office could potentially be poised to start enforcement actions prior to July 1, 2020.

September 13 was the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA) prior to its January 1, 2020, effective date. After months of speculation and anticipation, we finally have clarity (subject to the Governor’s approval) on the CCPA’s provisions.

Although there were changes – and both business and privacy advocates are claiming victories – the CCPA did not undergo a dramatic change. For businesses, the most notable changes are the addition of limited exemptions for the personal information of employees and business to business contacts as well as changes to the definition of personal information. On the other hand, privacy advocates will point to what did not change, namely, the CCPA retained its core privacy rights.

Below we discuss the changes.

Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.

On September 6, the California legislature passed amendments to the state’s data breach notification statutes (Cal.