Back in June 2018, a major consumer privacy law was passed in California: California Consumer Privacy Act, or CCPA for short. The first comprehensive consumer privacy law to be passed in the US, CCPA saw the addition of new rights such as a consumer’s right to access and download the personal information stored about them by a company, and have it deleted if so desired. Finally enforced across the whole of the US as of January 1st this year, CRIBB Cyber Security’s Patrick Carolan talks us through CCPA.

Patrick, what exactly is the California Consumer Privacy Act of 2018?

In simple terms it’s a privacy protection law not unlike the DPA 2018 or GDPR, that was introduced to protect the personal information of California residents. It came into effect for all of the US just last month and some of the implications it has have already become clear.

Could you expand a little on that please?

Certainly, for example, due to the extremely large volume of California privacy law, keeping on top of it has literally become a full-time job – non-specialist advice isn’t good enough. That means it is also having an impact on spend for businesses too. A recent BEAR assessment revealed that initial compliance with CCPA is going to cost approximately $55 billion. That is a staggering amount.

What does the CCPA do in essence?

CCPA is designed to protect personal information, and it does this in 2 different ways; 1, it imposes requirements on businesses who gather, share or sell that information and 2, it gives privacy rights to California / US residents.

What kinds of rights are included?

Disclosure, deletion, data portability and the right to object to the sale of their personal information – these are all now the rights of US residents.

Which businesses are affected by the CCPA?

Any business which gathers the information of US residents. The businesses also need to meet 1 or more of the following 3 conditions; 1, they must have an annual gross revenue in excess of $25 million. 2, they must be processing the personal information of over 50,000 consumers, households, or devices each year. 3, they must be achieving at least half of their annual revenue from the selling of consumers’ personal information.

Under the CCPA, what must businesses do to achieve compliance?

Businesses now need to implement a CCPA-compliant privacy policy and they need to reveal exactly what personal information they are gathering and why. As with GDPR and SAR’s, if a consumer requests to see the various pieces of information held about them, then under CCPA it must be disclosed.

One point where the CCPA is perhaps a little less stringent than its European counterpart is that such verified consumer requests need to be complied with within 45 days, unless the business in question informs the consumer that it cannot comply.

Again though, as with the GDPR, the CCPA does require businesses to provide consumers with the right of deletion and they must provide them with 2 or more methods to submit requests allowing them to exercise their rights.

This is still quite an empowering law, then?

Oh, absolutely – businesses also need to add a visible link to their website homepage that specifically states words to the effect of, “we will not sell your personal data”. So in that instance, it is a little more strict than GDPR!

What personal information falls under the protection of the CCPA?

It could be name, address, social security number, email address, geolocation data, search history, IP address – essentially any information that is linked to a household or a consumer, so it’s quite a broad definition.

There’s also driver’s license numbers and passport numbers, records kept of personal property, products or services purchased, biometric information, professional or employment-related information and educational information.

What ultimately is the comparison between CCPA and other data protection laws?

There are definitely similarities between CCPA and DPA 2018, GDPR, The NDB scheme in Australia, Brazil’s LGPD and PIPEDA in Canada but there are also a number of differences.

For example, GDPR is a little bit clearer and less ambiguous about the technical and organisational measures deemed appropriate for businesses looking to achieve compliance. I think we will see in the coming weeks just how much of an impact the CCPA will have, and that’s when we’ll gain more of an insight into the comparison. As I said, some of its implications are already visible, but only time will tell…


DPA 2018 – Data Protection Act 2018

GDPR – General Data Protection Regulation

BEAR – Berkeley Economic Advising and Research

SARs – Subject Access Requests

Top Tip

For more updates from the world of cyber security, keep an eye on our blog section every Tuesday afternoon… Of course, if you would like to get in touch directly with our experts, they would be more than happy to have a chat!