Back in June 2018, a major consumer privacy law was passed in California. The California Consumer Privacy Act, or CCPA for short, is the first comprehensive consumer privacy law to be passed in the US. CCPA saw the addition of new rights such as a consumer’s right to access and download their personal information. The company holding it must also delete it if so desired. Finally enforced across the whole of the US as of January 1st this year, Patrick Carolan talks us through it in ‘CRIBB CCPA’.

Patrick, what exactly is the California Consumer Privacy Act of 2018?

In simple terms, it’s a privacy protection law not unlike the DPA 2018 or GDPR. It was introduced to protect the personal information of California residents. Last month, it came into effect for all of the US and some of the implications it has have already become clear.

Could you expand a little on that please?

Certainly. For example, due to the extremely large volume of California privacy law, keeping on top of it has literally become a full-time job. Non-specialist advice isn’t good enough. That means it is also having an impact on spend for businesses too. A recent BEAR assessment revealed that initial compliance with CCPA is going to cost approximately $55 billion. That is a staggering amount.

What does the CCPA do in essence?

For myself and CRIBB, CCPA is designed to protect personal information. It does this in two different ways. One, it imposes requirements on businesses who gather, share or sell that information. Two, it gives privacy rights to California / US residents.

What kinds of rights are included?

Disclosure, deletion, data portability and the right to object to the sale of their personal information. These are all now the rights of US residents.

Which businesses are affected by the CCPA?

Any business which gathers the information of US residents. The businesses also need to meet one or more of the following conditions:

  • One: They must have an annual gross revenue in excess of $25 million
  • Two: They must be processing the personal information of over 50,000 consumers, households or devices each year
  • Three: They must be achieving at least half of their annual revenue from the selling of consumers’ personal information

Under the CCPA, what must businesses do to achieve compliance?

Businesses now need to implement a CCPA-compliant privacy policy. They need to reveal exactly what personal information they are gathering and why. As with GDPR and SAR’s, if a consumer requests to see the information held about them, then under CCPA it must be disclosed.

There is a point where the CCPA is perhaps a little less stringent than its European counterpart. Such verified consumer requests need to be complied with within 45 days. That is unless the business in question informs the consumer that it cannot comply.

Again though, as with the GDPR, the CCPA does require businesses to provide consumers with the right of deletion. They must also provide them with two or more methods to submit requests allowing them to exercise their rights.

This is still quite an empowering law, then?

Oh, absolutely. Businesses also need to add a visible link to their website homepage that specifically states words to the effect of: “We will not sell your personal data”. So in that instance, it is a little more strict than GDPR!

What personal information falls under the protection of the CCPA?

It could be name, address, social security number, email address, geolocation data, search history, IP address – essentially any information that is linked to a household or a consumer, so it’s quite a broad definition.

There’s also driver’s license numbers and passport numbers, records kept of personal property, products or services purchased, biometric information, professional or employment-related information and educational information.

What ultimately is the comparison between CCPA and other data protection laws?

There are definitely similarities between CCPA and DPA 2018, GDPR, The NDB scheme in Australia, Brazil’s LGPD and PIPEDA in Canada but there are also a number of differences.

For example, GDPR is a little bit clearer and less ambiguous about the technical and organisational measures deemed appropriate for businesses looking to achieve compliance. I think we will see in the coming weeks just how much of an impact the CCPA will have, and that’s when we’ll gain more of an insight into the comparison. As I said, some of its implications are already visible, but only time will tell…


DPA 2018 – Data Protection Act 2018

GDPR – General Data Protection Regulation

BEAR – Berkeley Economic Advising and Research

SARs – Subject Access Requests

Top Tip

For more updates from the world of cyber security, keep an eye on our blog section every Tuesday afternoon. Of course, if you would like to get in touch directly with our experts, they would be more than happy to have a chat!