With enforcement of the California Consumer Privacy Act set to commence on 1 July 2020, we take a look at the key guidance available across Lexology and some of the most frequently asked questions.

Final CCPA regulations

The California Attorney General’s (AG) office has released the final version of CCPA regulations. The full text can be viewed here.

The third and final version of the regulations are effectively the same as the (second) draft regulations released in March, but the commentary released by the AG provides insight into the thinking behind the regulations and the upcoming enforcement. Take a look at this high-level overview of some of the most significant points from the commentary.

Enforcement from 1 July 2020

Despite calls from the business community and trade associations to delay the enforcement date to January 2021 due to the coronavirus pandemic, the AG has said that “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1”.

Guidance for businesses

Here are some key practical steps businesses should be taking ahead of the 1 July 2020 enforcement date. We also consider in more detail the final regulations, the potential enforcement actions and what this means for organisations.

It is important to bear in mind that the CCPA could also apply to non-profit organisations.  

CCPA 2.0

Businesses also need to keep a close eye on the proposed Consumer Privacy Rights Act (CPRA) which looks set to be on the November ballot. The proposed legislation is structured as an amendment to the CCPA and would establish a new category of “sensitive data”, similar to the GDPR (special category data) but with a much broader scope.

Find out more about the CPRA here.


Below is a list of the most frequently asked questions about the CCPA which are covered in detail across Lexology.

What steps must a business take if it sells personal information?

Does a business need to post a “do not sell” link if it does not sell personal information?

If a business does not identify a specific use for information in a notice at collection, is it prohibited from using information in that manner?

Can a business’s “privacy notice” and “notice at collection” be the same document?

Does CCPA’s Cross-Country Reach Render it Unconstitutional?

Does a business have to translate a “notice at collection” into languages other than English?

What is the average size of a bank’s California privacy notice?

Do most banks and financial service companies take the position that the use of third party behavioral advertising cookies is, or is not, the “sale” of personal information?

Be prepared by using Lexology PRO – our premium service which provides practical data protection guidance and insight as well as intuitive tools to help transform your legal research.

  • INSIGHT: Keep up-to-date with key developments by following our CCPA hub page where you can find all curated, must-read articles like those above, hand-picked by our team of experts.
  • COMPARE: Use our intuitive Data Protection & Privacy GTDT comparison tool which provides timely comparative analysis of the most important data protection and data privacy laws in force or in preparation throughout the globe.
  • DEEP DIVE: Check out The Privacy, Data Protection and Cybersecurity Law Review which provides in-depth analysis of this area of law, including the impact of the CCPA on businesses.
  • WATCH: Short, timely video clips to help you get up-to-speed on all of the latest legal topics.
  • ASK LEXY: A powerful AI search engine which compares articles or any piece of text to pull up related content to enhance your research.

Click here to request your free Lexology PRO demo.