ComplianceCalifornia CCPA regulations approved and effective immediately
California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.
Editorially reviewed for factual accuracy
At a glance
On , the California Office of Administrative Law approved the final CCPA regulations, making them immediately effective. The regulations provide detailed setup guidance for the California Consumer Privacy Act, clarifying notice requirements, opt-out mechanisms, service provider obligations, and recordkeeping expectations that businesses must implement to comply with the law.
Regulatory Context
The regulations complete the CCPA setup framework:
- Statutory completion: CCPA delegated significant setup details to regulations, which now provide binding requirements beyond the statute's general mandates.
- Immediate effectiveness: Unlike typical regulations with delayed effective dates, these became binding upon OAL approval.
- Enforcement alignment: The regulations coincided with active AG enforcement, meaning non-compliance creates immediate enforcement exposure.
- CPRA transition: While these regulations apply to CCPA, the subsequent California Privacy Rights Act (CPRA) would later modify and expand requirements.
Notice at Collection Requirements
The regulations specify precise notice requirements:
- Timing: Notice must appear at or before the point of collection, whether online forms, mobile apps, or offline interactions.
- Content: Categories of personal information collected, purposes for each category, and whether information is sold or disclosed for business purposes.
- Format: Notices must be reasonably accessible and presented in a clear, conspicuous manner.
- Multiple collection points: Each distinct collection point requires appropriate notice, though notices may reference full privacy policies.
Do Not Sell Requirements
Businesses selling personal information face specific obligations:
- Homepage link: "Do Not Sell My Personal Information" link must appear clearly on website homepages.
- Alternative text: "Do Not Sell My Info" is acceptable as abbreviated text.
- Mobile apps: Regulations provide flexibility for mobile setups while maintaining prominence.
- Processing: Opt-out requests must be processed within 15 business days.
Service Provider Requirements
The regulations clarify service provider classification:
- Contractual requirements: Written contracts must prohibit retention, use, or disclosure beyond contracted purposes.
- Certification: Service providers must certify understanding and compliance with restrictions.
- Subcontractor flow-down: Restrictions must flow to subcontractors receiving personal information.
- Sale vs. service: Data sharing for monetary consideration is sale; service provider relationships require appropriate contractual protections.
Offline Data Collection
For non-digital interactions:
- In-store: Signage at collection points directing consumers to privacy notices.
- Call centers: Verbal disclosure during interactions or reference to accessible notices.
- Paper forms: Privacy disclosure included on or accompanying collection forms.
- Content scope: Offline notices need not duplicate full privacy policies but must cover key disclosures.
Recordkeeping Requirements
Businesses must maintain compliance records:
- Request records: Log consumer requests and responses for 24 months.
- Response documentation: Document how requests were processed and response timelines.
- Training records: Maintain training completion records for personnel handling consumer requests.
- Audit support: Records must support demonstration of compliance during AG inquiries.
Compliance Verification
If you are affected, verify compliance:
- Compare privacy notices against regulatory formatting requirements.
- Test opt-out mechanisms across all channels.
- Verify service provider contracts include required provisions.
- Confirm recordkeeping procedures meet 24-month retention requirements.
Wrapping up
The CCPA regulations provide essential setup details that businesses must incorporate into privacy compliance programs. With immediate effectiveness and active enforcement, you should focus on compliance verification and address any gaps promptly.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
ESG Assurance Operating Guide
Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.
Coverage intelligence
- Published
- Coverage pillar
- Compliance
- Source credibility
- 71/100 — medium confidence
- Topics
- CCPA · privacy compliance · consumer rights · California
- Sources cited
- 2 sources (iso.org, federalregister.gov)
- Reading time
- 5 min
Documentation
- Industry Standards and Best Practices — International Organization for Standardization
- Federal Register Regulatory Notices
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.