IN BRIEF

The Far-Reaching Implications of the California Consumer Privacy Act (CCPA)

April 7, 2020

Golden Gate bridge

The California Consumer Privacy Act, which entered into effect in January 2020, has broadened consumer privacy rights and business compliance obligations.

While enforcement by the California attorney general is expected to commence in July 2020, consumers have already instituted civil actions as permitted by the CCPA against businesses for alleged violations of the duty to implement and maintain reasonable security procedures and practices.

Given that, the CCPA warrants careful review by businesses across sectors. The CCPA is the first comprehensive consumer privacy law in the U.S. with reverberations felt across state lines.

Why is the California Consumer Privacy Act significant to businesses beyond California?

The CCPA potentially applies to any commercial business that has California customers.

Businesses need not hold physical operations in California to face compliance obligations. Indeed, any business that collects personal information from a California resident – either on its own or by others on its behalf – may need to comply.

The law does provide some limitations, however. First, it applies only to for-profit entities. Second, such entities must be “doing business” in California. Third, they must be collecting the personal information of California residents. And fourth, they must meet one of the following thresholds: (1) generate annual gross revenue in excess of $25 million; (2) derive half or more of their annual revenue from selling the personal information of Californians; or (3) buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices.

[Read our guidance on what to do – and missteps to steer clear from – when responding to a Data Subject Access Request (DSAR).]

What types of personal information does the law cover?

The CCPA broadly covers information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under this broad rubric, “personal information” extends far beyond traditional notions of personal data, such as name, postal address, and Social Security numbers.

The CCPA includes more expansive categories, such as biometric and geolocation data, internet activity, and any inferences drawn from such data to create a consumer profile.

CCPA New Statutory Rights infographic

How can legal counsel facilitate CCPA compliance?

Most practically, businesses should stay abreast of CCPA updates and amendments. Several amendments have been proposed by California legislators, and a new initiative (colloquially named “CCPA 2.0”) may appear on the November ballot. Furthermore, the attorney general’s regulations are expected to be finalized before the July 1 enforcement date.

Internally, businesses should conduct a data mapping exercise to identity the data they are collecting and how it is being used. A data inventory and assessment is essential to a CCPA compliance program.

Businesses also need to assess resources and infrastructure to ensure proper compliance. Among other measures, businesses should identify key stakeholders and create project teams, earmark funds for compliance, document a plan, update privacy policies and other required notices, and implement procedures for handling consumer requests.

Businesses should also review and update data breach and incident response controls, as well as the contracts of vendors and other service providers.

Above all, businesses should not view compliance as a once-and-done project. Businesses must conduct periodic assessments and review results to gauge ongoing compliance with the CCPA’s evolving requirements.

In Focus: California Consumer Privacy Act

Follow today’s CCPA developments so you can plan your strategy for tomorrow and provide critical guidance for your clients and business. Protect your interests and advise with confidence with the resources on the California Consumer Privacy Act — In Focus page on Bloomberg Law.

What are the potential consequences for noncompliance?

Businesses that violate the CCPA are subject to civil penalties from the California attorney general – up to $7,500 for each intentional violation.

The potential for violating the CCPA is great, given the expansive legal rights granted to consumers and the corresponding obligations placed on businesses. Consumers have the right to opt out of the sale of their personal information; the right to know how their information is collected, used, and shared with third parties; and the right to receive their personal information in a portable format. Consumers can also request that businesses delete any of the personal information collected from them.

Consumers can also bring private actions against businesses for security breach violations. Notably, the CCPA permits consumers to recover statutory damages in such actions – up to $750 per consumer per incident. In the context of a class action, that sum can multiply exponentially.

How are other states following California’s lead?

In the wake of the CCPA, various jurisdictions nationwide have introduced similar initiatives.

Beyond California, measures have emerged from Maine to Hawaii, from Washington to Florida. In all, nearly 30 states have considered CCPA-like proposals.

Many of these efforts articulate a right to access and ability to opt out of sale of personal information. In other cases, initiatives intend to create a private right of action, as well as advance new notice and disclosure requirements for businesses that gather consumer information.

Varying state responses have accelerated calls for a unified federal response. Several proposals have been introduced in Congress, such as the Consumer Data Privacy and Security Act (S. 3456) and the Consumer Online Privacy Rights Act (S. 2968). The main sticking points for a federal consensus, however, center on preemption and the private right of action.

[Subscribers: View our tracker with state-by-state summaries of the proposals and links to the text of the underlying bills.]

CCPA infographic

How does the CCPA differ from the GDPR?

Like the European Union’s General Data Protection Regulation, the CCPA addresses data privacy in a comprehensive manner, but the two regimes differ in many ways. Most significantly, the CCPA does not prohibit the processing of personal information by default. Nor does it vest enforcement authority in a data protection regulator. And while the CCPA itself does not impose recordkeeping requirements on businesses, the attorney general’s proposed regulations do.

[Subscribers: To learn more about how the CCPA and GDPR differ, check out Bloomberg Law’s Comparison Table – CCPA vs GDPR.]


Bloomberg Law’s In Focus page offers Practical Guidance documents to help you formulate your compliance strategy and demystify this complex law.

Request a demo

Reference Shelf

[Access up-to-date California Consumer Privacy Act resources on Bloomberg Law’s In Focus page. Request a demo.]

Privacy and Data Security News

View All News
Top