The CCPA Final Regulations

CCPA Final RegulationsOn June 1, 2020, following months of negotiations, modifications, rule making events, public hearings, and public comments, the California Office of the Attorney General has submitted the final text of the CCPA regulations to the California Office of Administrative Law (OAL). The AG has requested that the OAL complete its review within 30 business days in an effort to meet the CCPA’s July 1, 2020 enforcement date. Once OAL approves, the final regulation will become enforceable by law. The final text is roughly the same as the version released in March 2020, minus a few immaterial formatting and language tweaks. However, there are some clarifications and changes since the initial draft regulations proposed in October 2019. 

Required Disclosures

The regulations reaffirm that affected businesses must provide privacy policies to consumers, and disclose the categories of sources from which they collect consumers’ personal information, and categories of third parties with whom they share the information. The regulations clarify that “categories of sources”, or “third parties”, mean groupings of persons or entities including the consumer directly, advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, and data brokers. 

The regulations also restrict businesses to the use of consumer’s personal information as described in the privacy policy at the time of collection. Likewise, a businesses is only required to provide notice and obtain consent of a new use of the information when the new purpose is “materially different” from the previously disclosed uses in the privacy policy.

Timing of Disclosure

Businesses must provide “timely notice” to the consumer at or before the point of collection of information. This notice may be electronic or in-person. The final regulations include several examples of how businesses can comply with this notice requirement to consumers, depending on how the business collects information.

Restriction on the Sale of Personal Information

Businesses can not sell any personal information they collect at any point before they give notice of the right to opt-out. However, there is an exception if they obtain a consumer’s consent prior to the sale.

Consumer Right to Delete and Know Requests

The CCPA guarantees a number of consumer rights that businesses must ensure, and the final regulations have made two noteworthy changes since the original regulations. 

Request to Delete

The previously mandatory two-step process for online requests to delete personal information is now optional. This should simplify and streamline the process for businesses. The two-step process allows a business to require a consumer to:

  1. request deletion; and
  2.  confirm the request in a separate communication.

Now a business can immediately honor the consumer’s request without having to confirm a separate communication. However, a business can now deny the request if it cannot verify the consumer’s identity within 45-days.

Request to Know

In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:

  1. the business does not maintain the personal information in a searchable or reasonably accessible format; and
  2.  the business maintains the information for legal or compliance purposes; and
  3. the business does not sell the personal information or use it for commercial purposes; and
  4.  the business describes to the consumer the categories of records that may contain personal information that it did not search pursuant to this provision of the regulations.
Service Providers

A company that provides services to an entity that is not a business under the CCPA can still be deemed a service provider if it would have otherwise met the service provider requirements. This provision is intended to expand the scope of services provides to cover entities such as non-profit organizations. 


Additionally, the final regulations require businesses to “implement and maintain reasonable security procedures and practices” to protect the records about personal information that the CCPA requires them to maintain. This clarifies the obligations businesses now have to securely maintain these records, which they must do for at least 24 months. 

In addition to the issues above, there have been numerous additional changes since the additional October regulations. Furthermore, while these have yet to be approved by the OAL, businesses should review these final regulations and update their CCPA compliance programs accordingly prior to July 1, 2020.