As expected, California's Attorney General submitted his office's final proposed regulations for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law last week.

Finalization of the regulations, which outline how businesses should comply with the CCPA and how individuals can exercise their rights around how their personal data is handled, is the last step before the CCPA’s scheduled enforcement deadline of July 1, 2020.

Despite pleas to have it delayed in light of this year’s COVID-19 pandemic, Xavier Becerra, California’s AG, has remained resolute that the CCPA will be enforced on that date.

When it comes down to it however, it seems as if the true fate of the law’s enforcement deadline is in the hands of California’s Office of Administrative Law. In submitting the final regulations to the OAL, the office has 30 working days, plus an additional 60 calendar days under a recent Executive Order (N-40-20) to thoroughly review and vet the law for procedural compliance.

Because of the time crunch, Becerra asked the office to expedite its review of the proposed regulations last week.

“While the Attorney General is mindful of the challenges imposed by COVID-19 and Governor Newsom’s Executive Order N-40-20 granting additional time to finalize proposed regulations, the Attorney General respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations,” the request reads.

The CCPA, which went into effect nearly six months ago on January 1, is California’s landmark privacy law. Designed to expand privacy rights and consumer protection for the state’s residents. The law applies to any business that collects consumer's personal data, does business in California, and meets one of the following qualifications:

• Has annual gross revenues in excess of $25 million;
• Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
• Earns more than half of its annual revenue from selling consumers' personal information.

While there aren’t any big changes from this iteration of the regulations compared to March’s, the fact that this is the final version of the regulations means the end is in sight for those who have been getting ready for the law for years, many who began prepping shortly after it was signed into law on June 28, 2018.

To recap, the law gives individuals the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect. The law also requires businesses to disclose data collection and sharing practices to consumers, and makes it so businesses can’t sell the personal information of consumers who are 16 years old or younger without prior authorization.

March’s regulations, available here, got rid of an opt-out button that could have told companies not sell the consumer’s personal information and clarified procedures for consumer requests.

For anyone looking for a full recap of the CCPA's journey so far, including the final text of proposed regulations, public hearing transcripts, and so on, the AG's website breaks it down in bullet points.