Skip to content

What Is the California Consumer Privacy Act? (+Why Does It Matter)

October 22, 2019

Any U.S. state that earns the ire of the 45th president so regularly is probably doing something right. 

Right now, California, more than any other state, is leading the charge to fill the federal-level leadership vacuum. One way they’re doing this is through the California Consumer Privacy Act, or the CCPA.

The CCPA is California’s bid to bring a similar degree of consumer digital protection to America as what the GDPR accomplished in the European Union.

The General Data Protection Regulation (GDPR) has been law for over a year, but it’s essentially only begun bringing justice against companies that abuse consumer trust. The U.S. hasn’t passed any similar laws at the federal level, which means states are taking up the challenge themselves.

Let’s dig deeper into the CCPA to find out why California’s efforts in this arena could prove consequential to the rest of us, no matter what state we live in.

What the CCPA seeks to accomplish

Legislators in California passed CCPA in June 2018. It goes into effect officially on the 1st of January in 2020.

By any metric, it is the strongest law of its kind in the United States. The simplest definition is that it is a consumer advocacy measure that seeks to give citizens of California greater awareness of and control over how their personal information is collected, processed and sold by corporate entities and even nonprofits.

Here are the major tenets of the California Consumer Privacy Act: 

Californians have the right to request an explanation of how and why their personal data is being collected. This includes the categories of data, who collected the data, to whom the data was sold (if applicable) and what purpose the data collection serves.
Californians have the right to refuse consent for companies to sell their data to third parties.
Californians have the right to request that a company deletes the personally identifying information they’ve collected on that consumer.

The California Consumer Privacy Act defines “personal information” in a similar fashion as GDPR.

Here’s the CCPA in its own words:

“’Personal information’ is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

And here’s the GDPR in its own words:

“’Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).”

The Future of Privacy Forum, in a detailed analysis of the two laws, finds that they are fairly consistent in their chosen definitions.

It’s fair to say that CCPA governs any and every online interaction between consumers and parties which seek to collect information on them. The CCPA’s list of “identifiers” includes, but is not limited to, the following types of data:

  • Device IP addresses
  • Email and home addresses
  • Names and Social Security numbers
  • Financial information (purchase histories, property ownership, etc.)
  • Biometric data (facial recognition and fingerprint scans, etc.)
  • Geolocation and other network activity data
  • Employment information

CCPA’s scope extends even to “inferences” extrapolated from a given set of data. 

What CCPA means for individuals

We live in a world that’s driven by data. It’s often called “the new oil.” A single data brokerage can own tens of thousands of servers and process data on as many as half a million consumers across the world.

Somebody who wants your email address might pay around $89 for it. And taken as a whole, the data brokering industry is worth around $200 billion USD.

It seems as though this trend has become more worrying to consumers over the last few years, too. Numbers from Pew Research indicate that just about half of US citizens believe their digital information is less secure now than five years ago.

With high-profile data breaches happening almost constantly, from Capital One and Equifax to Facebook and Target, it’s clear that this is indeed the case. Facebook alone proved to be a poor steward of the personal data they’d collected on some 540 million of its users. And this is a problem that transcends industrial boundaries. Data collection is lucrative everywhere on earth.

This is why legislators made sure the scope of CCPA was sufficiently broad. It’s still a state-level law, but it applies to any businesses and nonprofits located within the state or seeking to do business with California residents. 

How will the CCPA impact business? 

CCPA is a pro-consumer law by any definition. The backlash against data collection is very real and growing — and many consumers have grown frustrated with the apparent inevitability of having companies like Google scrape together vast amounts of data about us, largely without our consent, and selling it off again or using it themselves.

Data privacy and stewardship has emerged as a political hot-button issue, with at least one semi-viable presidential candidate calling for consumers to be compensated any time a business entity profits from their data.

Companies may be a little less enthusiastic about California’s new law and the global changes it may herald. In addition to applying to companies located or doing business within state lines, companies must also satisfy at least one of the following requirements for the new law to apply to them:

  • At least 50% of the company’s revenue comes from the sale of personal data.
  • The company processes and/or sells personal data concerning 50,000 or more citizens.
  • The company earns more than $25 million per year in gross revenue.

CCPA also contains language which prohibits companies from engaging in, for lack of a better phrase, “punitive measures” based on a consumer’s choice to opt out or refuse to allow their data to be sold. In other words, a company can’t change their prices or refuse to serve somebody because they have chosen to exercise their rights under CCPA.

The law is also clear on the penalties for companies found to be in violation of CCPA. After a 30-day grace period for addressing a noncompliance issue, companies face fines of between $2,500 and $7,500 USD per incident. This covers “intentional” violations — and it means that a company which mishandles data on 100 Californians is on the hook for a fine of not less than $250,000. 

What does the CCPA say about U.S. tech trends? 

CCPA helps raise the bar for consumer privacy and “digital rights” in the U.S. and will help inform future domestic and international efforts. And it means businesses have a learning curve to navigate. Now, more than ever, companies need a process in place for handling customer data requests. They’ll also need to build opt-out notices into their digital properties.

Businesses will also have to take a serious look at how their third-party partners operate, including whether any existing APIs are out-of-compliance and may lead to an intentional or unintentional lapse in data custody. For some companies, automation and machine learning principles can help automatically identify compliance issues and gaps in company policy before they become bigger worries. 

Data privacy and you 

With data privacy becoming a mainstream political issue and CCPA slated to go into effect first thing in 2020, the writing may be on the wall when it comes to this particular technology trend. And California’s helping to write it in bold. 

Concerned about keeping your data private? Discover the best data privacy software solutions for your needs to stay protected. 

See the Best Data Privacy Software →

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.