Use this button to switch between dark and light mode.

What the California Consumer Privacy Act Means to Data Protection Law

September 09, 2019 (3 min read)

Following on the heels of the European Union’s General Data Protection Regulation, commonly referred to as GDPR, comes CCPA, the California Consumer Privacy Act. It’s California’s effort to enhance consumer data privacy at the state level. CCPA builds on California’s “Shine the Light Law” (CA Civil Code §1798.83) from 2005 and shares the goal of GDPR—to protect sensitive online data and prevent fraud.

And this legislation comes at a critical time, given the media attention that some high-profile data breaches have received. It seems that the public is becoming increasingly aware of the dangers of identity theft, and the importance of data and credit protection.

What You Need to Know About CCPA

You can read a broader analysis of CCPA here, but the core tenet of the law is to put you (as a consumer) in control of your digital footprint.

So…what does that mean?

In layperson’s lingo, it means you have the right to know what information a particular company is collecting on you—things like age, credit card numbers, addresses, gender and (ominous music) much, much more. You also have a right to know who is buying or selling that information.

More importantly, this law gives you the ability to tell a company to delete your information and/or prevent that company from selling your data to another entity. Again, this is very similar to what the legal community saw with GDPR.

CCPA Compliance

If you conduct business in California and: have over $25M in gross revenue; process the information of 50,000+ individuals; or earn over half of your revenue from selling California consumers’ personal data…

…then get ready to comply with the California Consumer Privacy Act.

That means you must adhere to the regulations outlined in the law, whether you have a brick and mortar presence in California or not. The National Law Review has a good checklist that can help.

But here’s the thing: since GDPR went into effect in 2018, any California entity that wanted to do business in Europe had to abide by similar laws already. So many businesses may have a head start on compliance (but it’s important to note that CCPA goes beyond GDPR in certain instances).

If you’re a lawyer, you can arm yourself with up-to-date resources, and if you’re a business, finding a lawyer to help you wade through these new guidelines is a good idea—especially since fines can hit $7,500 for a single violation.

Will CCPA Impact National Laws?

Time-travelling phone booths aside, no one can predict the future with 100 percent accuracy. That said, it’s entirely possible, if not probable that similar legislation will eventually be introduced on the federal level. With every new identity theft case or data breach that hits the news cycle, the clamor of voices seeking more data privacy protection grows louder—which can spur action in Washington.

But the impact of federal laws may not be as dramatic as with CCPA, and that’s simply because California is a big economic market and CCPA applies to any business that touches the data of California citizens. That’s a lot of people, so many companies have begun girding themselves for CCPA’s arrival in 2020. Ergo, if similar laws are adopted at the national level, many businesses will already have laid the groundwork for compliance. (Kind of the way a lot of businesses were ready for CCPA, thanks to their preparations for GDPR.)

One thing is for certain: much like the way courts compared Mp3 files to cassette tapes around the turn of the century, legislation will always lag behind technology.

You just have to be ready for it when it (inevitably) comes.