The California Consumer Privacy Act (CCPA)

The clock is ticking for the 2020 implementation deadline

The California Consumer Privacy Act (CCPA) provides consumers with much more control over their personal information than ever before. It was signed into law in June 2018, takes effect 2020 and follows closely on the heels of the EU General Data Protection Regulations (GDPR).

 (There will likely be amendments and corrections as it moves through its legislative process during 2019).

  • The CCPA extends the privacy rights and protections to California residents
  • CCPA is relevant for companies that collect and process the personal information of California residents and do business in California
  • The companies themselves don’t have to be physically located in California, but making sales there
  • CCPA applies when companies meet at least one of the following:
    • Generate gross revenue greater than $25m
    • Receive or share personal information of more than 50,000 California residents annually
    • Derive at least 50% of its annual revenue by selling the personal information
  • CCPA doesn’t apply to non-profit businesses
  • Under CCPA personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
  • It excludes information that is publicly available

The New Consumer Rights:

  • The business must inform consumers what personal information they capture, how that is being captured and used, and the details of any sharing or disclosure
  • Consumers should have an easy process to opt-out of having their personal information sold on.
    • Under 16s must opt-in for their information to be shared. 
    • Parents or guardians must give consent for the selling of personal information of under 13s
    • There must be a clear “Do Not Sell my Personal Information” link on the homepage
  • Businesses must inform consumers of their right to have their personal information deleted
    • Businesses must delete the information on request
    • Businesses must ensure the information is deleted from their third party contractors with whom they shared the information (there are notable exceptions to this related to transactions)
  • Consumers must not be discriminated against if they exercise their rights under the CCPA
    • Business may offer financial incentives for a consumer’s personal information
    • Businesses can offer varying levels of service, and even charges, related to the value of the consumer’s information

Transparency & Disclosure

Businesses subject to CCPA will need to inform consumers of their rights under the CCPA, what personal information is collected, how it is used and what, if any, is sold on.  This disclosure needs to be proactive and updated annually.

Non-Compliance & Enforcement

The CCPA provides consumers a private right of action if their rights are breached. The duty is on businesses to implement and maintain reasonable security procedures and practices. As well as the threat of individual or class action lawsuits, businesses failing to comply with their CCPA duties are subject to civil penalties per violation.



GDPR ready organisations have a head start on organising and managing their customers’ personal data, but not all requirements are aligned. And unlike GDPR where the regulator’s enforcement penalty has a ceiling of 4% of global annual revenues, the CCPA has no ceiling and is $7500 per violation (and that’s without the private right of action).


So its time to get started mapping the flow of personal information throughout your organisation, updating your privacy notices and websites, and making sure your relevant staff are trained up.  Of course if you’ve already implemented GDPR protocols you may find you are already mostly there.

If you want some help and guidance – just let us know. We’re not lawyers, but practical and experienced data protection professionals who can find pragmatic business solutions for you, as well as dovetailing into GDPR.