August 20, 2020
CCPA Regulations Are Now Effective
On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the state’s Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. As detailed in our alert on June 12, 2020, the Attorney General submitted final proposed regulations to the OAL on June 1, 2020, and OAL approval was required before the regulations could take effect. The approved regulations—which took effect immediately on August 14, 2020—largely track the final regulations proposed by the Attorney General. The OAL withdrew four provisions,[1] however, and the Attorney General made a number of non-substantive changes for accuracy, consistency, and clarity (the non-substantive changes are detailed by the Office of the Attorney General here). The OAL withdrew the following provisions, though certain of the revisions do not indicate any substantive reversal, as noted below:
At least the first two provisions above were particularly scrutinized during the public comment period, and their exclusion from the final regulations makes requirements for businesses less onerous (for example, businesses required to provide an opt-out-of-sale mechanism may have struggled with a practical offline procedure for opting out of the sale of data). The OAL has offered little insight into its reasoning for withdrawing these provisions, however, and the Attorney General may resubmit these sections after further review and potential revision.
Regardless of the withdrawal of these particular provisions, in light of the official approval of the remainder of the regulations, and the Attorney General’s authorization to enforce them starting immediately, businesses would be well advised to familiarize themselves with the approved regulations. We remain available to advise accordingly.
Bill Extending Key CCPA Exemptions Moves Forward at the Legislature
Separately, on August 13, 2020, the California Senate Judiciary Committee agreed—with a unanimous 9-0 vote—to extend until January 2022 exemptions from certain CCPA requirements for personal information arising from business-to-business (“B2B”) transactions and employment, which are currently set to expire January 1, 2021.[2] The relevant bill, AB 1281, was significantly revamped from a prior bill on June 25, 2020, and now its sole proposal is to extend the foregoing exemptions until January 2022, unless the California Privacy Rights Act (“CPRA”) passes. The CPRA is an initiative that is set for a vote on the November 3, 2020 state ballot, as we discuss in more detail here, and would extend the same exemptions until January 1, 2023. AB 1281 now sits with the Senate Appropriations Committee and was scheduled for a vote on August 19, 2020, but the legislature adjourned its session without a vote on the bill. The next session is scheduled for Monday, August 24. As of now, it appears likely to pass, which means the CCPA would not start applying to employment and B2B-related personal information when the current exemption expires on January 1, 2021.
_____________________
[1] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 §§ 999.305 (a)(5); 999.306(b)(2); 999.315(c);999.326(c).
[2] See California Senate Committee Roll Calls, available at https://sjud.senate.ca.gov/sites/sjud.senate.ca.gov/files/roll_call_reports_all_bills.pdf.
The following Gibson Dunn lawyers assisted in the preparation of this client update: Alexander Southwell, Benjamin Wagner, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Abbey Barrera, Julie Hamilton, and Tony Bedel.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s California Consumer Privacy Act Task Force or its Privacy, Cybersecurity and Consumer Protection practice group:
California Consumer Privacy Act Task Force:
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Please also feel free to contact any member of the Privacy, Cybersecurity and Consumer Protection practice group:
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.