Everything to Know About the California Consumer Privacy Act


Just when companies feel they can finally breathe in the wake of GDPR, the California Consumer Privacy Act (CCPA) throws another curveball forcing companies to assess their data protection practices – again. Despite almost one-third of companies still failing to meet GDPR compliance, the new landmark privacy law is the second hurdle for companies, many of whom are still struggling to face the first.

The CCPA, which comes into play on 1st January 2020, brings a broad new set of privacy laws to California. A PwC survey found that by January first only half of those businesses affected will be CCPA compliant despite being signed into law mid-2018 and could end up costing California businesses $55 billion.

Despite initial intentions to protect California consumers, the act will affect companies worldwide as law includes out-of-state merchants who have engage in any form of business with Californians, including simply displaying a website in California.

Despite what many believe, the CCPA is not the first privacy act to take effect in the US. Nevada’s law took effect on 1st October 2019 but is far more specific in comparison as their law only encompasses websites and online services. Once in affect, the CCPA will give California consumers the power to know what information a company holds about them and the power to have this information deleted. On top of this, companies will have to heighten disclosure of the data they collect. Given this consumer power, the act was meet with considerable but ultimately unsuccessful lobbying from Silicon Valley tech giants.

Unlike GDPR, which covers all business, CCPA only impacts larger businesses in which the sale of data forms a key part of their income. This categorisation can be broken down into three categories: businesses that have a revenue exceeding $25 million, companies with consumers beyond 50,000 and businesses with more than fifty percent of their revenue stemming from the sale of consumer data. Despite this narrower scope, the data privacy act will still significantly impact California’s business given California make $12 billion annually from personal data in online advertising.

The law is being praised as the catalyst which will bring a global shift; however, little is currently known as the how the law will be enforced. The law relies on the California's Attorney General to enforce penalties that could potentially exceed $7,500 for those intentional violations and $2,500 for those unintended violations. Consumers are also given the power to sue for up to $750 if a company is hacked. Confusion is stemming for the CCPA’s controversial “cure” clause. In the event of a violation, this clause allows companies off the hook by giving a thirty-day grace period to remedy a violation. The confusion lies in what constitutes as a “cure” as the law fails to outline what actions suffice.

Scepticism also surrounds the California AG’s ability to police the CCPA given the law’s broad nature and challenge of the “cure” provision. Many argue the “cure” provision will be relied upon as a get out of jail free card by companies found acting out of compliance.

Whether the CCPA’s broad privacy requirements will catalyst greater data privacy regulation in the US is uncertain. However, it is the job of the compliance officer to proactively implement the compliance challenges brought by CCPA. Importantly, those companies compliant with GDPR are not compliant with CCPA by default, creating further work for compliance professionals.

Back to article list