August 20, 2020
CCPA Regulations Are Now Effective
On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the state’s Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. As detailed in our alert on June 12, 2020, the Attorney General submitted final proposed regulations to the OAL on June 1, 2020, and OAL approval was required before the regulations could take effect. The approved regulations—which took effect immediately on August 14, 2020—largely track the final regulations proposed by the Attorney General. The OAL withdrew four provisions,[1] however, and the Attorney General made a number of non-substantive changes for accuracy, consistency, and clarity (the non-substantive changes are detailed by the Office of the Attorney General here). The OAL withdrew the following provisions, though certain of the revisions do not indicate any substantive reversal, as noted below:
At least the first two provisions above were particularly scrutinized during the public comment period, and their exclusion from the final regulations makes requirements for businesses less onerous (for example, businesses required to provide an opt-out-of-sale mechanism may have struggled with a practical offline procedure for opting out of the sale of data). The OAL has offered little insight into its reasoning for withdrawing these provisions, however, and the Attorney General may resubmit these sections after further review and potential revision.
Regardless of the withdrawal of these particular provisions, in light of the official approval of the remainder of the regulations, and the Attorney General’s authorization to enforce them starting immediately, businesses would be well advised to familiarize themselves with the approved regulations. We remain available to advise accordingly.
Bill Extending Key CCPA Exemptions Moves Forward at the Legislature
Separately, on August 13, 2020, the California Senate Judiciary Committee agreed—with a unanimous 9-0 vote—to extend until January 2022 exemptions from certain CCPA requirements for personal information arising from business-to-business (“B2B”) transactions and employment, which are currently set to expire January 1, 2021.[2] The relevant bill, AB 1281, was significantly revamped from a prior bill on June 25, 2020, and now its sole proposal is to extend the foregoing exemptions until January 2022, unless the California Privacy Rights Act (“CPRA”) passes. The CPRA is an initiative that is set for a vote on the November 3, 2020 state ballot, as we discuss in more detail here, and would extend the same exemptions until January 1, 2023. AB 1281 now sits with the Senate Appropriations Committee and was scheduled for a vote on August 19, 2020, but the legislature adjourned its session without a vote on the bill. The next session is scheduled for Monday, August 24. As of now, it appears likely to pass, which means the CCPA would not start applying to employment and B2B-related personal information when the current exemption expires on January 1, 2021.
_____________________
[1] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 §§ 999.305 (a)(5); 999.306(b)(2); 999.315(c);999.326(c).
[2] See California Senate Committee Roll Calls, available at https://sjud.senate.ca.gov/sites/sjud.senate.ca.gov/files/roll_call_reports_all_bills.pdf.
The following Gibson Dunn lawyers assisted in the preparation of this client update: Alexander Southwell, Benjamin Wagner, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Abbey Barrera, Julie Hamilton, and Tony Bedel.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s California Consumer Privacy Act Task Force or its Privacy, Cybersecurity and Consumer Protection practice group:
California Consumer Privacy Act Task Force:
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Deborah L. Stein (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Please also feel free to contact any member of the Privacy, Cybersecurity and Consumer Protection practice group:
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Deborah L. Stein (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0)20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com)
Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.