The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Final Regulations For CCPA Sent For Review

by Chris Brook on Monday June 8, 2020

Contact Us
Free Demo

With CCPA enforcement on track for less than four weeks from now, California’s AG sent his final proposed regulations for the law to be reviewed.

As expected, California's Attorney General submitted his office's final proposed regulations for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law last week.

Finalization of the regulations, which outline how businesses should comply with the CCPA and how individuals can exercise their rights around how their personal data is handled, is the last step before the CCPA’s scheduled enforcement deadline of July 1, 2020.

Despite pleas to have it delayed in light of this year’s COVID-19 pandemic, Xavier Becerra, California’s AG, has remained resolute that the CCPA will be enforced on that date.

When it comes down to it however, it seems as if the true fate of the law’s enforcement deadline is in the hands of California’s Office of Administrative Law. In submitting the final regulations to the OAL, the office has 30 working days, plus an additional 60 calendar days under a recent Executive Order (N-40-20) to thoroughly review and vet the law for procedural compliance.

Because of the time crunch, Becerra asked the office to expedite its review of the proposed regulations last week.

“While the Attorney General is mindful of the challenges imposed by COVID-19 and Governor Newsom’s Executive Order N-40-20 granting additional time to finalize proposed regulations, the Attorney General respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations,” the request reads.

The CCPA, which went into effect nearly six months ago on January 1, is California’s landmark privacy law. Designed to expand privacy rights and consumer protection for the state’s residents. The law applies to any business that collects consumer's personal data, does business in California, and meets one of the following qualifications:

  • Has annual gross revenues in excess of $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers' personal information.

While there aren’t any big changes from this iteration of the regulations compared to March’s, the fact that this is the final version of the regulations means the end is in sight for those who have been getting ready for the law for years, many who began prepping shortly after it was signed into law on June 28, 2018.

To recap, the law gives individuals the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect. The law also requires businesses to disclose data collection and sharing practices to consumers, and makes it so businesses can’t sell the personal information of consumers who are 16 years old or younger without prior authorization.

March’s regulations, available here, got rid of an opt-out button that could have told companies not sell the consumer’s personal information and clarified procedures for consumer requests.

For anyone looking for a full recap of the CCPA's journey so far, including the final text of proposed regulations, public hearing transcripts, and so on, the AG's website breaks it down in bullet points.

Tags: Compliance

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.