Final CCPA Regs Are Finally Here, Effective Date is Unclear
On June 1, the Office of the California Attorney General submitted its final proposed CCPA regulations package to the California Office of Administrative Law (OAL). The long-awaited move comes only one month from the law’s July 1 enforcement date. The substance of the final regulations has not changed since the previous draft was released on March 11, which we discussed here. In light of the lack of substantive changes and the impending enforcement of the law, it is frustrating that almost three months have passed since the previous draft was published—arguably par for the course as far as the CCPA goes.
The Attorney General’s submission suggests that the current proposed regulations are in their final form, which does provide some certainty for organizations, and is no doubt welcome news for those that have been adjusting their compliance programs to address the March 11 proposal. But the final regulations still fail to clarify many ambiguous aspects of the CCPA or provide relief for smaller organizations with minimal data processing operations. For example, as we explained previously, the regulations do not clarify what qualifies as a “sale,” and an organization that only collects IP addresses through a website, and no further personal information, could still be covered by the law.
It also remains unclear when, precisely, the regulations will take effect. For regulations to take effect under California law, the OAL must evaluate whether the rulemaking package complies with the California Administrative Procedure Act. The OAL generally has 30 “working days” to complete that review. An executive order relating to the COVID-19 pandemic issued by Governor Gavin Newsom has extended that timeline by 60 calendar days. Once approved by the OAL, regulations typically take effect on one of four quarterly dates: January 1, if filed between September 1 and November 30; April 1, if filed between December 1 and February 29; July 1, if filed between March 1 and May 31; and October 1, if filed between June 1 and August 31. Under these rules, the earliest date the CCPA regulations could take effect would be October 1.
As explained on the OAL website describing California’s rulemaking process, however, “effective dates may vary . . . if the agency demonstrates good cause for an earlier effective date.” Here, the Office of the Attorney General has tried to make that showing, including in the package it submitted to the OAL a Written Justification for Earlier Effective Date and Request for Expedited Review. That justification notes that the CCPA requires the Attorney General to adopt regulations by July 1, and therefore asks the OAL to complete its review “within 30 business days,” with the regulations to take effect upon filing with the California Secretary of State, rather than the next quarterly effective date.
So when will the CCPA regulations take effect? We don’t know, unfortunately. The OAL could approve the regulations in June and file them with the Secretary of State before the CCPA’s July 1 enforcement date. Or it could agree to perform an expedited review but take the full thirty business days, which would put the effective date in mid-July. Alternatively, it could reject the request for expedited review and take the time allowed by the COVID-19 executive order, which would likely result in an effective date between mid-July and October 1.
No matter how the approval process plays out, the Attorney General’s office has stated that “it is committed to enforcing the law on July 1,” suggesting that there may be enforcement actions even before the regulations have taken effect. For that reason, organizations that have waited on final regulations to implement the CCPA (or determine whether it applies) should press ahead with their compliance efforts. Even though the regulations are not yet effective, they provide a helpful forecast of how the Attorney General will interpret the statute.