California CCPA regulations approved and effective immediately
California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.
Editorially reviewed for factual accuracy
At a glance
On , the California Office of Administrative Law approved the final CCPA regulations, making them immediately effective. The regulations provide detailed setup guidance for the California Consumer Privacy Act, clarifying notice requirements, opt-out mechanisms, service provider obligations, and recordkeeping expectations that businesses must implement to comply with the law.
Regulatory Context
The regulations complete the CCPA setup framework:
- Statutory completion: CCPA delegated significant setup details to regulations, which now provide binding requirements beyond the statute's general mandates.
- Immediate effectiveness: Unlike typical regulations with delayed effective dates, these became binding upon OAL approval.
- Enforcement alignment: The regulations coincided with active AG enforcement, meaning non-compliance creates immediate enforcement exposure.
- CPRA transition: While these regulations apply to CCPA, the subsequent California Privacy Rights Act (CPRA) would later modify and expand requirements.
Notice at Collection Requirements
The regulations specify precise notice requirements:
- Timing: Notice must appear at or before the point of collection, whether online forms, mobile apps, or offline interactions.
- Content: Categories of personal information collected, purposes for each category, and whether information is sold or disclosed for business purposes.
- Format: Notices must be reasonably accessible and presented in a clear, conspicuous manner.
- Multiple collection points: Each distinct collection point requires appropriate notice, though notices may reference full privacy policies.
Do Not Sell Requirements
Businesses selling personal information face specific obligations:
- Homepage link: "Do Not Sell My Personal Information" link must appear clearly on website homepages.
- Alternative text: "Do Not Sell My Info" is acceptable as abbreviated text.
- Mobile apps: Regulations provide flexibility for mobile setups while maintaining prominence.
- Processing: Opt-out requests must be processed within 15 business days.
Service Provider Requirements
The regulations clarify service provider classification:
- Contractual requirements: Written contracts must prohibit retention, use, or disclosure beyond contracted purposes.
- Certification: Service providers must certify understanding and compliance with restrictions.
- Subcontractor flow-down: Restrictions must flow to subcontractors receiving personal information.
- Sale vs. service: Data sharing for monetary consideration is sale; service provider relationships require appropriate contractual protections.
Offline Data Collection
For non-digital interactions:
- In-store: Signage at collection points directing consumers to privacy notices.
- Call centers: Verbal disclosure during interactions or reference to accessible notices.
- Paper forms: Privacy disclosure included on or accompanying collection forms.
- Content scope: Offline notices need not duplicate full privacy policies but must cover key disclosures.
Recordkeeping Requirements
Businesses must maintain compliance records:
- Request records: Log consumer requests and responses for 24 months.
- Response documentation: Document how requests were processed and response timelines.
- Training records: Maintain training completion records for personnel handling consumer requests.
- Audit support: Records must support demonstration of compliance during AG inquiries.
Compliance Verification
If you are affected, verify compliance:
- Compare privacy notices against regulatory formatting requirements.
- Test opt-out mechanisms across all channels.
- Verify service provider contracts include required provisions.
- Confirm recordkeeping procedures meet 24-month retention requirements.
Wrapping up
The CCPA regulations provide essential setup details that businesses must incorporate into privacy compliance programs. With immediate effectiveness and active enforcement, you should focus on compliance verification and address any gaps promptly.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Compliance Operations Control Room
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.
-
Global Privacy Enforcement Readiness Guide
Build privacy programs that withstand GDPR, CPRA, LGPD, and Singapore PDPA enforcement by integrating regulator expectations, data governance, and cross-border response playbooks.
Coverage intelligence
- Published
- Coverage pillar
- Compliance
- Source credibility
- 71/100 — medium confidence
- Topics
- CCPA · privacy compliance · consumer rights · California
- Sources cited
- 2 sources (iso.org, federalregister.gov)
- Reading time
- 5 min
Documentation
- Industry Standards and Best Practices — International Organization for Standardization
- Federal Register Regulatory Notices
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.