CCPA Regulations

The CCPA regulations govern compliance with the California Consumer Privacy Act. They provide guidance to businesses on how to inform consumers of their rights under the CCPA, how to handle consumer requests, how to verify the identity of consumers making requests, and how to apply the law as it relates to minors. In doing so, the regulations make it easier for consumers to exercise their CCPA rights.

The regulations went into effect on August 14, 2020. Additional amendments to the regulations went into effect on March 15, 2021. Below are the documents that were submitted to the Office of Administrative Law (OAL). Anyone who submitted a comment regarding the regulations has the right to request a copy of the final statement of reasons.

In November 2020, voters approved Proposition 24, the California Privacy Rights Act of 2020, establishing the California Privacy Protection Agency (CPPA) to implement and enforce the California Consumer Privacy Act. On October 21, 2021, the CPPA provided notice to the Attorney General that it was prepared to assume rulemaking responsibilities. Rulemaking authority transfers from the Attorney General to the CPPA six months after this notice.

CCPA Regulations – Documents filed with OAL in June 2020

#	Document Name	Date of Event
1.	OAL Amended Notice of Approval in Part and Withdrawal in Part	August 27, 2020
2.	Final Text of Regulations [UPDATED]	August 14, 2020
	WWW Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018). [Incorporated by Reference]
3.	Addendum to Final Statement of Reasons	August 14, 2020
4.	Final Statement of Reasons	June 1, 2020
	Appendix A. Summary and Response to Comments Submitted during 45-Day Period
	Appendix B. List of Commenters from 45-Day Period
	Appendix C. Summary and Response to Comments Submitted during 1st 15-Day Period
	Appendix D. List of Commenters from 1st 15-Day Period
	Appendix E. Summary and Response to Comments Submitted during 2nd 15-Day Period
	Appendix F. List of Commenters from 2nd 15-Day Period
5.	Form 400 – Endorsed and Filed Version [Updated]	August 14, 2020
6.	Updated Informative Digest	June 1, 2020
7.	Written Justification for Earlier Effective Date and Request for Expedited Review	June 1, 2020
8.	Notice of Proposed Rulemaking	October 11, 2019
9.	Original Proposed Regulations	October 11, 2019
10.	Initial Statement of Reasons (ISOR), includes Appendices A, B	October 11, 2019
11.	Statement of Mailing First 45-Day Notice	May 27, 2020
12.	First Notice of Modifications	February 10, 2020
13.	First Modified Regulations	February 10, 2020
14.	Statement of Mailing First 15-Day Notice	May 27, 2020
15.	Second Notice of Modifications	March 27, 2020
16.	Second Modified Regulations	March 27, 2020
17.	Statement of Mailing Second 15-Day Notice	May 27, 2020
18.	Public Comments Note: The comments are marked up based on each commenter and their comments.
	45 Day Written Comments	Comment Period Ended: December 6, 2019
	First Set 15 Day Written Comments	Comment Period Ended: February 25, 2020
	Second Set 15 Day Written Comments	Comment Period Ended: March 27, 2020
19.	Public Hearing Transcripts Note: The transcripts of the public hearings are marked up based on each commenter and their comments.
	Sacramento	December 2, 2019
	Los Angeles	December 3, 2019
	San Francisco	December 4, 2019
	Fresno	December 5, 2019
20.	Form 399
21.	Materials/Documents Relied Upon
Appendix A: Preliminary Activities
	California Department of Justice, Attorney General’s Office, California Data Breach Report (February 2016).
	California Department of Justice, Attorney General’s Office, Public Comments Received as Part of the Preliminary Rulemaking Process.
	California Department of Justice, Attorney General’s Office, Supplemental Public Comments Received as Part of the Preliminary Rulemaking Process
	California Department of Justice, Attorney General’s Office, Transcript of Fresno Public Forum.	February 13, 2019
	California Department of Justice, Attorney General’s Office, Transcript of Inland Empire/Riverside Public Forum.	January 24, 2019
	California Department of Justice, Attorney General’s Office, Transcript of Los Angeles Public Forum.	January 25, 2019
	California Department of Justice, Attorney General’s Office, Transcript of Sacramento Public Forum.	February 5, 2019
	California Department of Justice, Attorney General’s Office, Transcript of San Diego Public Forum.	January 14, 2019
	California Department of Justice, Attorney General’s Office, Transcript of San Francisco Public Forum.	January 8, 2019
	California Department of Justice, Attorney General’s Office, Transcript of Stanford Public Forum.	March 5, 2019
Appendix B: 45-Day Period
	Acquisti et al., What Is Privacy Worth? (2013) The Journal of Legal Studies, 42(2), pp. 249-274.
	Center for Plain Language, Privacy-policy analysis (2015).
	Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, FTC Report (March 2012).
	Hahn et al., A data processing addendum for the CCPA? (Jun. 19, 2019) IAPP Privacy Perspectives.
	Montes et al., The value of personal information in markets with endogenous privacy (Aug. 5, 2015) CEIS Working Paper No. 352.
	National Telecommunications and Information Administration, U.S. Department of Commerce, Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (July 25, 2013).
	Norton, The Non-Contractual Nature of Privacy Policies and a New Critique of the Notice and Choice Privacy Protection Model (2016) 27 Fordham Intell. Prop. Media & Ent. L.J. 181.
	Pew Research Center, Public Perceptions of Privacy and Security in the Post-Snowden Era (November 14, 2014).
	Reidenberg et al., Ambiguity in Privacy Policies and the Impact of Regulation (March 22, 2016) Journal of Legal Studies, Forthcoming; Fordham Law Legal Studies Research Paper No. 2715164.
	Schaub, et al., A Design Space for Effective Privacy Notices (July 22–24, 2015) Symposium on Usable Privacy and Security (SOUPS) 2015, Ottawa, Canada.
	Short et al., What’s Your Data Worth? (Mar. 3, 2017) MIT Sloan Management Review, Spring 2017 Issue.
	Spiekermann, et al., Towards a Value Theory for Personal Data (April 2017) Journal of Information Technology, Vol. 32, Issue 1, 2017.
Appendix C: 15-Day Period
	Accenture Interactive, See people, not patterns. (2019).
	Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).
	Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).
	Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360
	Paternoster, Leon, Getting round GDPR with dark patterns. A case study: Techradar (August 12, 2018).
	Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.

Amendments to CCPA Regulations – Documents filed with OAL in January 2021

OAL Notice of Approval in Part and Withdrawal in Part

Rulemaking documents for Amendments to CCPA Regulations - The pdf of documents is bookmarked for ease of reference. It contains the following documents:

Notice of Third Set of Proposed Modifications
Third Set of Proposed Modifications
Statement of Mailing for Third Set of Modifications
Notice of Fourth Set of Proposed Modifications
Fourth Set of Proposed Modifications
Statement of Mailing for Fourth Set of Modifications
Public Comments regarding Third and Fourth Set of Modifications
Additional Documents Relied On
- Cranor, et al., CCPA Opt-Out Icon Testing – Phase 2 (May 28, 2020). Habib, et al., An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites, USENIX Symposium on Usable Privacy and Security (SOUPS) 2019, August 11-13, 2019, Santa Clara, CA, USA.
- Habib, et al., “It’s a scavenger hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices, CHI ’20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, April 2020, Honolulu, HI, USA. (Article begins on page 21).
- Luguri, Jamie and Strahilevitz, Lior, Shining a Light on Dark Patterns (August 1, 2019), University of Chicago, Public Law Working Paper No. 719, University of Chicago Coase-Sandor Institute for Law & Economics Research Paper No. 879.
- Mahoney, et al., California Consumer Privacy Act: Are Consumers’ Digital Rights Protected? (October 1, 2020), Consumer Reports.
Addendum to Updated Informative Digest
Second Addendum to Final Statement of Reasons
- Appendix G – Summary and Response to Comments Submitted during Third 15-Day Comment Period
- Appendix H – List of Commenters from Third 15 Day Period
- Appendix I – Summary and Response to Comments Submitted during Fourth 15-Day Comment Period
- Appendix J – List of Commenters from Fourth 15 Day Period

Who We Are

What We Do

What We're Working On

Media Center

Social Media

Career Opportunities

Organization of the Office

AG Honors Program & Earl Warren Solicitor General Fellowship

For Businesses

Service on the Attorney General

Open Government

Programs

Most Popular

Most Popular

CCPA Regulations

CCPA Regulations – Documents filed with OAL in June 2020

Amendments to CCPA Regulations – Documents filed with OAL in January 2021

Section 100 – California Consumer Privacy Act (Transfer of Agency Authority)