Reed Smith Client Alerts

On Friday, February 7, 2020, the California Department of Justice, Office of the Attorney General (AG) released revisions to the proposed California Consumer Privacy Act (CCPA) regulations, which were originally published and noticed for public comment on October 11, 2019. The announced changes were made in response to public comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law. The AG will accept written comments regarding the revised proposal or materials added to the rulemaking file until 5 p.m. (PST) on February 24, 2020.

This alert summarizes the notable changes to the proposed regulations and provides a preliminary analysis of the effects of those changes. This analysis is not intended to be exhaustive.

Authors: Sarah L. Bruno

UPDATE: Since this client alert was issued, the deadline to comment has been extended to Tuesday, February 25, 2020 and one substantive change was made: the notice requirements that previously applied to companies with the personal information of 4,000,000 consumers has been increased to 10,000,000 consumers. 


The latest proposed and revised CCPA regulations from the California Attorney General may provide some relief and clarity for covered businesses. There is much to unpack in the AG's revisions. A few examples include: 

(1) Personal Information Definition Exclusions. The regulations clarify the definition of  "personal information" to exclude certain information based on the "manner" in which a business "maintains" the information;

(2) 90 Day Look Back Removal. The regulations remove the 90 day look back period from the sale opt-out requirement; and 

(3) Non-Discrimination Clarification. The regulations clarify the non-discrimination provision to state that it is not discriminatory to deny a request to know, a request to delete, or an opt-out for reasons permitted by the CCPA.

What does it mean for my business?

While the revised regulations depart from the initial proposed regulations in a few key ways, businesses that built CCPA compliance programs based on the initial proposed regulations will largely be in good shape should these regulations become final as drafted. They should, however, consider how and to what extent these revisions will impact their existing efforts. The AG has provided no indication that he intends to delay the July 1, 2020 enforcement date, or eliminate the basic rights afforded to California consumers or the corresponding requirements placed on covered businesses by the CCPA. Any covered business that has not yet started its compliance program should start that work now.

Still, there may be more to come, as these changes are subject to additional comments until February 24.