CCPA California Consumer Privacy Act

CCPA: What You Need to Know About California’s Looming Data Privacy Law

While consumers may be concerned about their lack of privacy on the Internet, thanks to the California Consumer Privacy Act (better known as the CCPA) businesses better be aware of how its enforcement can impact them. Thanks to CIO DIVE and the International Association of Privacy Professionals (IAPP), here are five take-aways about the new law:

First – the California Consumer Protection Act goes into effect on January 1, 2020

Which means the Attorney General Xavier Becerra’s office can start enforcing it on July 1st, six months after it’s enacted. So, what’s the penalty for each violation? For violations “lacking intent,” $2500 – under Section 17206 of the California Business and Professions Code, according to Dennis Dayman of Return Path, but for intentional violations, $7500 per violation. Also, individual consumers can sue for $100 to $750 in the event a company is careless and gets hacked, according to Fortune. But, it’s likely the Great Big Cost will be for initial compliance, which is estimated to be upwards of $55 billion, according to a report issued by the Attorney General’s office.

Second – The new regulation requires businesses to confirm a California resident’s request:

  • to know or delete data within 10 days of receiving an inquiry about what personal information is being collected about them,
  • to access that information,
  • to know if their personal information is disclosed, and to whom,
  • to know if their personal information is sold and have the right to opt out of the sale, and
  • to receive equal service and price whether or not they exercise their privacy rights.


Third – Businesses must act on the request within 45 days, “regardless of time required to verify the request.”


Fourth – Under the Act, the new regulation requires compliance of service providers,

and “any person or entity that provides services to a person or organization shall be deemed a service provider for the purposes of the CCPA,” as long as, according to Forbes, your company:

  • does business in or has customers (or potential customers) in California, plus meets one of the following criteria:
    • your annual gross revenue is more than $25 million;
    • your organization receives, shares, or sells personal information of more than 50,000 individuals;
    • your company earns 50% or more of its annual revenue from selling personal information of consumers.


Fifth – Since there isn’t a federal data privacy law on the books – or in sight, California’s CCPA solution will be the toughest in the world,

going further than the European Union’s General Data Protection Regulation (GDPR) that went into effect May 25, 2018.

For anyone who saw Netflix’s The Great Hack – and anyone who didn’t, you really should – had CCPA been in force, and David Carroll – the “Dark Data” professor from Parsons who co-stars in the documentary – been in California, he could have demanded and received the data he sought from Cambridge Analytica, if it had been based in the U.S. So it won’t cover every situation.

The fact is, now is the time to figure out how your company will respond to CCPA.

For starters, Forbes recommends businesses take a hard look at their personal data-governance capabilities and processes, including determining how your company will:

  1. Inform consumers of your intent to collect personal information.
  2. Advise consumers that they have the right to know what personal information you’ve collected, where the data came from, how it will be used, and with whom it’s shared. (According to Fortune, this information includes: biometrics, internet browsing information, products purchased or considered for purchase, geolocation data, academic and employment information, and inferences drawn to create a profile about the individual to reflect preferences.)
  3. Recognize the fact that consumers will have the right to prevent your business from selling their personal information to third parties.
  4. Respond to consumers’ requests to remove the personal information that your business has on them.
  5. Modify any existing practices that charge consumers different prices or refuse services to a consumer who exercises their privacy rights.

One bright area for businesses impacted by the CCPA, is a “cure” provision that “gives companies an opportunity to remedy the effects of a breach before an affected consumer brings a lawsuit.” According to a Skadden, Arps article, if the cure is effective, that consumer can only pursue actual damages, not statutory damages. In fact, the CCPA’s cure provision prevents the consumer from bringing a class action for those statutory damages. This is important because the CCPA requires courts to award successful plaintiffs between $100 and $750 “per consumer per incident,” and that amount would add up quickly in a class action suit.

Clearly, avoiding the dystopian implications of the Facebook-Cambridge Analytica scandal is a noble goal. I just hope in the State’s effort to protect our privacy, we don’t roll-back all the great “free stuff” that Google, Facebook, and thousands of other companies have been willing to give us in exchange for a glimpse into the 5,000 data points that make each American uniquely susceptible to internet marketing.

Well, at least that’s my opinion. What’s yours?