CCPA Draft Regulations Released and Amendments Signed into Law

October 21, 2019 Advisory

On Oct. 10, California Attorney General Xavier Becerra released draft regulations for the California Consumer Privacy Act of 2018 (CCPA). Currently, interested parties may submit comments electronically or at four in-person public forums in Sacramento (Dec. 2), Los Angeles (Dec. 3), San Francisco (Dec. 4) and Fresno (Dec. 5). The deadline for submission of written comments is Dec. 6, 2019.

The draft regulations include guidance on the following critical topics:

Busines s Practices for Handling Consumer Requests;
Verification of Requests;
Special Rules Regarding Minors; and
Nondiscrimination.

On Oct. 11, 2019, Gov. Gavin Newsom signed into law the six CCPA amendment bills passed by the California legislature. While these amendments covered critical topics such as required mechanisms for effecting a data subject access request, de-identified and aggregate data, a vehicle warranty/recall exemption, and data broker registration, perhaps the most significant changes to the law are those that largely exempt personal data processed in the human resources and business-to-business (B2B) contexts from the scope of law for a one-year period.

The final regulations are expected sometime in early 2020 for the law that will go into effect on Jan. 1, 2020. Enforcement of the CCPA is scheduled to begin July 1, 2020.

Armstrong Teasdale attorneys across disciplines routinely advise and conduct risk assessments for a range of clients — from internet startups to Fortune 100 companies — related to data privacy. Our firm established one of the first Privacy and Data Security practices in the Midwest and is dedicated to solving domestic and international privacy and data security matters. Our skilled attorneys include California-licensed employment counsel as well as Certified Information Privacy Professionals in the U.S. and abroad, Certified Ethical Hackers (C|EH) and professionals with extensive experience counseling clients on compliance with CCPA and the Global Data Protection Regulation (GDPR).