The CCPA: What is it and what does it mean for consumer privacy?

Written By: Bryce Hoyt

Beginning on January 1, 2020, the California Consumer Privacy Act (“CCPA”) took effect, resulting in a flood of emails from corporations stating, “We’ve updated our privacy policy.” [1] The CCPA is the most comprehensive and far-reaching consumer privacy law to date, mimicking the European Union’s General Data Protection Regulation (“GDPR”). [2] For example, companies with $25 million in annual revenue or any company storing data on at least 50,000 people must comply or face a potential fine of up to $7,500 per record in violation. [3] Although CCPA is a state law, it applies to any business meeting the threshold requirement above, and that also does business in California or collects personal information on California residents. [4] This means that many companies outside California or even the United States are still mandated to comply if they do substantial business with California [residents].

A few key provisions of the act include prohibiting the sale of personal data on children under the age of 13 without parent authorization and requiring children between the ages of 13-16 to give affirmative consent themselves before collecting any data (also known as the “opt-in” requirement). [5] Additional provisions put more power in the hand of the consumer by allowing individuals to request full disclosure of the type of data the business collects, the category of third-party companies the data is sold to, and the purpose of selling said data. [6] One of the most unique provisions allows consumers to request all personal data relating to said individual to be permanently deleted from the company records and gives the right to a private cause of action for any violation (with exceptions). [7] These are just a few key aspects of the extensive requirements and guidelines set forth in the CCPA.

Privacy organizations and firms have started releasing CCPA “readiness assessment guides” to help advise companies and clients on how to comply with the sweeping changes to consumer privacy law. [8] Although the act lays out, in detail, many necessary changes companies must make to comply, some aspects remain ambiguous, such as what constitutes a data breach “cure”. Furthermore, it is unclear the degree of enforcement by the California Attorney General’s office. It appears only future litigation will answer the questions left open by the legislation—as of now, companies are diligently working to establish company protocol to avoid being the defining precedent.

[1] Maria Korolov, California Consumer Privacy Act (CCPA): What you need to know to be compliant, CSO (October 4, 2019, 3:00 AM PDT), [https://perma.cc/QN8T-CW8V].

[2] Id.

[3] Id.

[4] Emily Tabatabai, Antony Kim, & Jennifer Martin, Understanding California’s Game-Changing Data Protection Law, CORPORATE COUNSEL (July 16, 2018), https://s3.amazonaws.com/cdn.orrick.com/files/UnderstandingCaliforniaDataProtectionLaw.pdf [https://perma.cc/U5X3-BSME].

[5] Cal. Civ. Code §1798.120 (West 2019).

[6] Cal. Civ. Code §1798.110 (West 2019).

[7] Cal. Civ. Code §1798.150 (West 2019).

[8] ORRICK, California Consumer Privacy Act – Are you CCPA-Ready?, https://www.orrick.com/Practices/CCPA-Readiness [https://perma.cc/D6K4-G2E9].


Leave a Reply

Your email address will not be published. Required fields are marked *