The CCPA Regulations Have Been Approved and are Effective Immediately

Media Centre

The CCPA Regulations Have Been Approved and are Effective Immediately

19 August 2020

Technology & Regulation in the Spotlight

Two months after their submission, on August 14, 2020, the California Office of Administrative Law has approved the final regulations (“Regulations“) for the California Consumer Privacy Act (“CCPA“). The Regulations are effective immediately while the enforcement under the CCPA itself already began on 1 July 2020.

Several updates to provisions in the final draft Regulation were eventually withdrawn from the final Regulations for further consideration, as detailed below:

  • Notice at collection of personal information: Section 999.305(a)(5) which required companies to obtain explicit consent prior to use of consumers’ personal information for a purpose materially different than previously disclosed. However, in such cases a new notice would still have to be provided at the moment of collection.


  • Authorized agents: Section 999.326(c) which permitted a business to deny “requests to know” and “requests to delete” from authorized agents in cases where the agents do not submit proof of their authorization to act on the consumer’s behalf. The previous language requiring authorized agents to provide a written permission from the authorizing consumer (as opposed to “proof”) – remains in place.


  • Notice of right to opt-out of sale of personal information: Section 999.306(b)(2) which required companies whose main medium of interaction with consumers is offline to provide a notice by offline methods. Therefore, a notice on a website should suffice, however, offline methods of notices would still be required for companies that do not operate a website.


  • Requests to opt-out: Section 999.315(c) which required that the method for submitting “requests to opt-out”, as offered by the business, to include minimal steps and be easy for consumers. The provision also prohibited companies from using methods that are designed “with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out”.


  • Opt-out request links: in addition to the abovementioned withdrawn provisions, the words “Do Not Sell My Info’” have been deleted throughout the Regulations to align with the CCPA. Therefore, companies would have to use the phrasing “Do Not Sell My Personal Information” in their opt-out request link on their websites.


Earlier last year we published our CCPA Compliance Playbook to assist in preparing for the recently approved Regulations.

Please feel free to contact us if you have any questions regarding the effect and implications of the CCPA, and how the new Regulations may affect your compliance efforts.

Kind regards,

Ariel Yosefi, Partner

Co-Head | Technology & Regulation Department

Herzog Fox & Neeman

Search by +