This is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will host six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations.

On January 8, 2019, the Attorney General’s office held the first of the six public rulemaking workshops in San Francisco. The comments made at the workshop reflect general concerns about perceived ambiguities in the law, as well as potential unintended consequences for businesses that collect information about California consumers.

Specific themes that emerged include:

  • Clarifying certain ambiguous definitions, including the definition of “personal information” and whether it includes IP addresses and inferences drawn from personal information to create a profile about a consumer. Others proposed narrowing the definition of “sale” to exclude online advertising.
  • A call for the Attorney General to establish a safe harbor provision for businesses that are GDPR compliant, as well as a call for greater synergy between the two laws.
  • Considering that the right of access provisions may actually undermine the law’s goal of limiting the collection of personal information because the law may require companies to collect data as part of identity verification that they would otherwise not collect.

In the wake of GDPR and CCPA, Congress is now proposing drafts of a first-ever comprehensive US federal data privacy law, which may get passed in 2019. State-preemption is one of the major sticking points and although there appears to be agreement that a national law would be preferable to the current patchwork of state and industry-specific privacy laws, the details of what and how such a federal law will be enforced have yet to be ironed out. The Federal Trade Commission will likely play some role in the enforcement as well as state Attorney Generals. We will continue to monitor developments in state laws, such as the CCPA, and the new federal law.

The dates and locations of additional public forums are listed below. Public comments are also accepted by email at or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

  • January 14, 2019 10 AM – 1 PM, California State University, San Marcos, 333 S. Twin Oaks Valley Road San Marcos, CA 92096
  • January 24, 2019 10 AM – 1 PM, Cesar Chavez Community Center, 2060 University Avenue Riverside, CA 92507
  • January 25 2019 10 AM – 1 PM, Ronald Reagan Building, 300 S. Spring Street Los Angeles, CA 90013
  • February 5, 2019 10 AM – 1 PM, California State Building, 1500 Capitol Avenue Sacramento, CA 95814
  • February 13, 2019 10 AM – 1 PM California State Building, 2550 Mariposa Mall, Room 1036 Fresno, CA 93721

For more information or to begin preparing for CCPA compliance, please contact:

Jeewon Kim Serrato, San Francisco
Head of Data Protection, Privacy, and Cybersecurity, United States

Our other CCPA articles

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA

Article 11: “What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

Article 12: Back At The Negotiating Table: CCPA Amendments Debate Continues

Article 13: One-Month Countdown to Pass CCPA Amendments Begins

Article 14: CCPA: “Wait and see” is not the right approach

Article 15: And then there were five: CCPA amendments pass legislature

Article 16: Mic Drop: California AG releases long-awaited CCPA Rulemaking

Article 17: California Governor Signs All 5 CCPA Amendments

Article 18: Here We Go Again: Another Ballot Initiative for CCPA in 2020

Article 19: Privacy Officers’ New Year’s Resolutions

Article 20: State of the Untion: CCPA and beyond in 2020