Just over eight months after the effective date of the California Consumer Privacy Act (CCPA), the California Office of Administrative Law (OAL) approved the final California Attorney General’s CCPA regulations on June 1, 2020. The regulations are effective immediately.

In conjunction with the release of the final version of the regulations, the AG released an Addendum to Final Statement of Reasons explaining that it had (1) withdrawn certain provisions for additional consideration and (2) any changes to the text of the June 1, 2020 regulations were “non-substantive” and for “accuracy, consistency, and clarity.” The AG defined “non-substantive” as those changes that “clarify without materially altering the requirements, rights, responsibilities, conditions or prescriptions contained in the original text.”

Several key regulations have been withdrawn:

  1. Section 999.305(a)(5), which would have required businesses to obtain an affirmative opt-in for a material change to how a business uses personal information as opposed to simply requiring a notice.
  2. Section 999.306(b)(2), which would have required business who primarily deal with consumers offline to produce an offline notice of a right to opt-out from providing personal information under the CCPA.
  3. Section 999.315(c), which contained a nebulous requirement that method by which a consumer could exercise their opt-out rights must “be easy for consumers to execute” and require “minimal steps.”
  4. Section 999.326(c), which would have allowed a business to deny a request by an authorized agent on behalf of a consumer if the agent did not submit proof of their authority to act for the consumer.

Although changes to the existing text of the regulations were characterized as “non-substantial,” the following changes are worth noting:

  • The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute which contains the language “Do Not Sell My Personal Information.”
  • The requirement in Section 999.308(c)(1)(e) that business identify the sources from which their personal information is collected “be described in a manner that provides consumers a meaningful understanding of the information being collected” in the privacy policy has been deleted but business must still identify the categories of those sources.
  • The severability provision, formerly in Section 999.341, was deleted. This provision had stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.”

Businesses that have actively been reviewing and auditing their CCPA compliance since the release of the draft regulations will likely find that the final regulations will not substantially change their compliance programs. But businesses that have not actively been considering how the AG’s regulations will affect their CCPA compliance programs should take the time to do so now.

For more information regarding this post, please contact Ashley R. Fickel.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.