The CCPA goes into effect on January 1, 2020. At this point, all of the enacted amendments have been signed and there is no opportunity for additional legislative amendments to the statute before its effective date. However, businesses have long awaited California Attorney General Xavier Becerra's issuance of implementing regulations, as required by the statute. Late last week, those draft regulations arrived.
On October 10, 2019, AG Becerra issued proposed regulations, accompanied by an Initial Statement of Reasons, Economic and Fiscal Impact Statement, and fact sheet. The regulations, in general, address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing non-discrimination practices. The regulations also introduce new terminology for various CCPA obligations that will likely become part of the privacy vernacular in the United States. Some of the regulations offer practical advice about implementing CCPA compliance measures and specific language to be included in relevant privacy policies (the "good"). Some components add valuable protections for consumers, but propose significant new burdens on entities trying to comply with the CCPA in less than three months (the "bad"). And some appear, seemingly, out of left field (the "unexpected"). While this client alert is not intended to thoroughly analyze all twenty-four pages of the regulations, it identifies some of the most interesting aspects of the regulations, provides practical advice regarding how you might need to adjust your compliance efforts, and if your organization is inclined to comment on the proposed regulations, sets forth information regarding how and when to provide comments.