California OAL approves final CCPA regulations effective immediately

Regulatory Approval

The California Office of Administrative Law approved the Attorney General's CCPA regulations on August 14, 2020, filing them with immediate effect. The approval concluded a multi-round regulatory process that refined requirements for privacy notices, consumer request handling, and identity verification standards. OAL's approval made the regulations immediately enforceable, establishing binding compliance obligations for businesses meeting CCPA thresholds. The regulations codify detailed operational requirements that translate the statute's consumer rights into practical setup mandates.

Notice Requirements

The regulations establish full requirements for privacy notices at collection. Sections 999.305-999.307 require notices include categories of personal information collected, purposes for collection, and links to opt-out mechanisms where applicable. Notices must be provided at or before the point of collection, with specific formats prescribed for online, mobile, and offline contexts. Businesses should audit existing notice templates against regulatory specifications, ensuring language covers all required disclosures and provides clear, understandable explanations of consumer rights.

Request Handling Procedures

Sections 999.312-999.325 detail requirements for consumer request intake, processing, and response. Businesses must provide at least two designated methods for submitting requests, including (for online businesses) an interactive webform. Requests must be acknowledged within 10 business days and fulfilled within 45 days. The regulations establish procedures for complex requests, partial responses, and extensions. If you are affected, align intake workflows with regulatory requirements, documenting methods used to authenticate requesters and segregating household requests where applicable.

Identity Verification

The regulations set up a verification framework that scales with request sensitivity. Requests to know categories of personal information require reasonable verification. Requests for specific pieces of information or deletion require verification to a reasonably high degree of certainty. Verification must be proportionate—businesses cannot request additional information solely to verify identity if existing account mechanisms provide adequate certainty. If you are affected, document verification procedures, maintain verification records, and train staff on proportionate verification appropriate to different request types.

Financial Incentives and Loyalty Programs

Section 999.336 addresses financial incentive programs including loyalty programs, discounts, and rewards. Businesses offering price differences based on personal information collection or sale must explain the material terms and provide good-faith value calculations. Opt-in mechanisms must be clear, and opt-out rights must be honored without penalty. Review any loyalty or discount programs to confirm value calculations are documented, opt-in records are retained for audit, and program terms accurately describe the personal information involved and its estimated value.

Service Provider and Third-Party Requirements

The regulations clarify service provider obligations, requiring written contracts that limit data use to business purposes and prohibit retention beyond specified purposes. Sections 999.314 and 999.331 address service provider responsibilities for consumer request handling, requiring forwarding of deletion requests to service providers who must comply with deletion obligations. If you are affected, audit service provider contracts for required language, establish mechanisms for flowing deletion requests to contractors, and document contractual provisions addressing personal information handling, retention, and return or destruction obligations.

Record-Keeping and Compliance Documentation

Section 999.317 establishes record-keeping requirements for businesses receiving high volumes of consumer requests (10 million or more consumers' data). Required records include request categories received, response times, and metrics on denial rates. Even businesses below this threshold should maintain documentation supporting compliance demonstrations. Documentation should capture policy versions, training completion, request processing evidence, and verification procedure setup to support responses to potential AG inquiries or enforcement actions.

Related articles

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 91/100 · July 1, 2020

California begins CCPA enforcement on July 1, 2020

CCPA enforcement started July 1, 2020. Even with some regulations still pending, the AG's office expected businesses to honor consumer rights—access, deletion, opt-out, the whole package.

Policy · Credibility 89/100 · September 29, 2020

California extends CCPA employee and B2B exemptions via AB 1281

Governor Newsom signed AB 1281 on September 29, 2020, extending the CCPA’s partial exemptions for employee and business-to-business data until January 1, 2022, preserving limited notice and breach liability duties in the…

Policy · Credibility 88/100 · November 3, 2020

California Privacy Rights Act Approved

California voters passed CPRA (Prop 24) in November 2020, expanding CCPA with new rights like correction and restriction. Enforcement started January 2023. If you have already built CCPA compliance, you need to extend it…

Policy · Credibility 86/100 · July 1, 2025

State privacy law

Tennessee’s Information Protection Act takes effect July 1, 2025, requiring controllers to support sale and ad opt-outs, close consumer requests within 45 days, and retain DPIA plus 60-day cure evidence for…

Policy · Credibility 86/100 · July 31, 2025

Minnesota Consumer Data Privacy Act

Minnesota’s Consumer Data Privacy Act becomes enforceable July 31, 2025, requiring controllers to deliver consumer rights, document DPIAs, and coordinate attorney-general engagement workflows for complaints.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

August 14, 2020

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

CCPA · Privacy notices · Consumer rights · Verification

Sources cited

3 sources (oag.ca.gov, oal.ca.gov)

Reading time

5 min

References

1. Final Text of Regulations (CCPA) — California Department of Justice
2. Notice of Approval of Regulatory Action — CCPA — California Office of Administrative Law
3. Final Statement of Reasons — CCPA Regulations — California Department of Justice