October 22, 2020

Volume X, Number 296


October 21, 2020

Subscribe to Latest Legal News and Analysis

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

Proposed CCPA Regulations Progress to Final Review

Following much anticipation, the Office of the California Attorney General (OAG) moved one step closer to the California Consumer Privacy Act (CCPA)’s wide-ranging implementing regulations becoming enforceable by law by filing the final CCPA Regulations with the California Office of Administrative Law (OAL) on June 1.

The CCPA grants the OAG the authority to begin enforcing the law on July 1, 2020. Whereas the OAG can enforce the CCPA on that date, businesses have been awaiting confirmation of whether the CCPA Regulations will be finalized and enforceable starting July 1 as well.

The effective date of the Regulations stems from the date the OAL transmits the final rules to the Secretary of State for adoption. Thus, while the OAG requested an expedited review of the OAL, even if the OAL completes its review in less than 30 days, the effective date of the Regulations will be Oct. 1, 2020, unless OAL designates a different effective date.

On June 1, 2020, the OAG submitted to the OAL its rulemaking package that consisted of the following, among other items:

  • an Updated Informative Digest, describing legislative updates since the original filing of the Notice of Proposed Rulemaking Action on Oct. 11, 2019, including changes to the proposed regulations since the Notice of Proposed Rulemaking Action;

  • much of the record of materials received and released during the rulemaking process, including public comments and responses, public hearing transcripts, white papers, and more.

The OAG emphasized, per the Request for Expedited Review: “While the Attorney General is mindful of the challenges imposed by COVID-19 and Governor Newsom’s Executive Order N-40-20 granting additional time to finalize proposed regulations, the Attorney General respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations.”

With the request, the OAL has 30 working days, plus an additional 60 calendar days as established by the Executive Order referenced, to review the package for procedural compliance with the California Administrative Procedure Act. OAL’s review is limited to regulatory legal requirements. OAL has no power to change the proposed regulation and OAL does not accept public comments on or correspondence about proposed regulations. Once the OAL approves the package, the final regulations text will be filed with the Secretary of State.

Without an expedited review, and alteration of the normal effective date schedule, the regulations will not take effect until Oct. 1.

California Attorney General Xavier Becerra also noted in a press release, “Our regulations provide businesses and individuals with guidance on how to protect that choice and boost transparency, while continuing to unleash innovation. Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 155



About this Author

Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.


  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development


  • Privacy and security gap assessments