Legislative Updates

Final Version of the CCPA Implementing Regulations


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPA Implementing Regulations Privacy Law Compliance

On August 14, 2020, California Attorney General Xavier Becerra released the final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and AG’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The proposed regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version of CCPA implementing regulations along with an updated Addendum to the Final Statement of Reasons.

The approval of CCPA implementing regulations establishes specific content and administrative compliance obligations for businesses. Since these regulations take effect immediately, all businesses subject to the CCPA are obliged to comply with both the statute and the regulations.

Summary of CCPA Implementing Regulations

The final implementing regulations are similar to the draft proposed in June. However, the AG’s office has made several non-substantive changes and withdrawn certain proposed provisions for additional consideration. The non-substantive changes are intended to improve accuracy, clarity, and consistency in language and are described in detail in the Addendum to the Final Statement of Reasons.

Non-Substantive Changes

One of the most notable changes in the CCPA implementing regulations is the removal of the option for businesses to use the words Do Not Sell My Info for a business’s opt-out link. The OAG explains that this change was made throughout the regulations to align with the express language of the statute. This option was originally included in the October 11, 2019 version of the proposed regulations by the OAG to give businesses a shorthand for the opt-out right notice. This, however, was not approved by the OAL as it was found not to be consistent with the statutory requirement.

Therefore, businesses that sell personal information under the CCPA should include a link with the words Do Not Sell My Personal Information, which directs users to the notice of the right to opt-out. Although this deletion of the shorthand version of the link is effective immediately, businesses have thirty days to resolve the issue upon receipt of a letter of non-compliance.

The remaining changes to the final regulations are less impactful and appear to be intended to provide clarity or eliminate duplication. For example, instead of using the terms children and minors, the CCPA implementing regulations use the phrases consumers under 13 and consumers under 16.

Create saving opportunities with a range of advanced, industry-leading solutions designed to simplify compliance with different privacy laws.

Withdrawn Sections

In addition to the non-substantive changes, some sections were withdrawn from the CCPA implementing regulations:

  1. Removal of guidance on how businesses may use previously collected information for a materially different purpose by obtaining express consent from consumers.

Section 999.305(a) (5) was not included in the CCPA implementing regulations. With the removal of this section, businesses are no longer required to notify consumers directly and obtain explicit consent for new purposes of the processing. The underlying statutory requirement imposed by Section 1798.100(b) that businesses cannot use personal information collected for additional purposes without providing the consumer with notice consistent with this section remains in effect.

  1. Removal of guidance on how businesses substantially interacting with consumers offline should provide notice of the right to opt-out via an offline method.

Section 999.306(b)(2), which was removed from the CCPA implementing regulations, provided businesses with examples of giving notice of the opt-out right to consumers. The withdrawal of this section gives more flexibility by permitting businesses that primarily operate offline to direct consumers to an online opt-out form. However, the newly renumbered Section 999.306(b) (2) still requires any business that does not operate a website to establish, document, and comply with another method by which it informs consumers of their right to opt-out.

  1. Removal of guidance on how businesses can provide consumers with methods for submitting opt-out requests.

Section 999.315(c) was removed and the subsequent section renumbered. The removal of this section reduces the number of compliance standards previously present in the regulations by removing the only reference to an easy for consumers to execute standard attached to request mechanisms. The withdrawal of this section also eliminates the only reference in the regulations to a requirement that opt-out requests require minimal steps to execute.

  1. Denying certain requests from authorized agents if they fail to submit documentation. 

Another section that was removed is section 999.326(c), which granted businesses the ability to deny authorized agent requests for failing to submit proof they are authorized to act on behalf of the consumer. However, this withdrawal does not appear to substantively alter the ability of businesses to refuse requests from authorized agents, as that process is also detailed in the sections of the regulations that cover each type of request.

Get a detailed explanation of CCPA cybersecurity requirements, their impact on companies, and measures you can take to prevent data breaches while ensuring compliance.

Taking Final Steps to Comply with the CCPA Implementing Regulations

The final CCPA implementing regulations do not introduce major changes to the obligations imposed on businesses in the same way that each prior draft did. The most important development is that the regulations are no longer theoretical, and complying with them is an active obligation for businesses operating within the scope of the CCPA. Also, the withdrawn sections give businesses more flexibility in complying with specific areas of the law.

At the same time, as businesses continue to adjust to the impact of the ongoing COVID-19 pandemic, the approval of the CCPA implementing regulations may cause an unwanted diversion of resources and attention to ensure compliance. Still, now that the regulations are in effect, it is necessary for businesses to review their privacy policies, opt-out links, and internal procedures to ensure that they comply with the requirements of the regulations.

This is especially important given that new obligations may be on the horizon in the form of an even more stringent privacy bill, the California Privacy Rights Act (CPRA). If this initiative is approved, Californian citizens will have their rights under the CCPA expanded, which will create additional obligations for businesses to comply with. That is why businesses need to consider integrating proper software designed to simplify meeting data protection requirements and compliance with different regulations. Thus, employers can protect their organizations from potential penalties, ensure an effective process of data discovery, security, and classification while making minimal impact on companies’ operations and bottom line.

The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.