The California Attorney General (“AG”) has submitted his proposed final CCPA regulations to the California Office of Administrative Law (“OAL”).

The proposed final rules substantively are the same as the draft rules released for public notice on March 11, which we summarized previously here.   However, the AG’s responses to comments and Final Statements of Reasons accompanying the final rulemaking package provide guidance on the AG’s position on key ambiguities under the CCPA.   For example, in declining to clarify whether the use of website cookies shared with third parties is a “sale,” the AG emphasized that, “[w]hether the particular situations raised in the comments constitutes a “sale” raises specific legal questions that would require a fact-specific determination, including whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers.”  The response thus is consistent with a determination that there is no “sale” of personal information based on specific facts and circumstances.  Other commentary provides guidance on such topics as the AG’s understanding of financial incentive provisions, obligations to respond to access and deletion requests, and when the law is applicable.

In terms of process and timing, the OAL has a period of time to review the draft rules for compliance with the California Administrative Procedure Act.  Typically, this period is 30 business days, but this has been extended for an additional 60 calendar days as part of one of the California Governor’s COVID-related executive orders.  Upon approval, the OAL will file the rules with the Secretary of State.

Under California law, rules typically go into effect on a quarterly schedule, and proposed rules filed with the Secretary of State between June 1 and August 1 would typically go into effect October 1.  However, the AG has submitted a request to OAL for the rules to go into effect immediately at the time the rules are filed with the Secretary of State rather than on the quarterly schedule.   His request for expedited timing does not does not include a clear statement of necessity, public interest, or other rationale for the earlier effective date.  The closest he appears to comes is the statement that, “Once final regulations are adopted, the Attorney General will enforce the regulations that establish procedures to facilitate new consumer rights under the CCPA and provide guidance to businesses for how to comply.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.