The California Data Privacy Law (CCPA)


The California Consumer Privacy Act of 2018 (CCPA) is the most recent California data privacy law aimed at protecting the rights of state residents. The newly established CCPA goes into effect on January 1, 2020, giving businesses just over a year from when it was signed to become compliant.

Data Privacy in California

The idea that information may be personal and private has long been a point of legal discussion in the United States. The electronic collection, processing and transmission of data and their related privacy concerns have only recently been taken into consideration.

As a hotbed for technology startups, California routinely leads the way when it comes to passing data-related legislation. In 2002 it was the first state to pass a security breach law, requiring written notification to consumers whose data had been exposed. Then in 2004 it passed the Online Privacy Protection Act; this required businesses to prominently post Privacy Policies on their websites that outline what data is collected and how consumers can review or request changes to this information.

Once again, the state takes center stage. This recent California data privacy law is the first in the States to recognize that people have rights with respect to how their data is used.

The Details

Components of the California Data Privacy Law

Given that it is a state law, its contents apply to the data of California residents only. Much like the EU’s GDPR, it outlines a series of rights people have with respect to their data. According to the California Consumer Privacy Act, residents have the right to:

Read more

  • Know what data is being collected and how it will be used;
  • Know if their data may be disclosed or sold, along with the right to say “no” to this;
  • Access their personal information; and
  • Request the removal of their data.

The law also states that, if someone exercises their rights, a business may not discriminate against the person by denying goods or services, charging a different price or providing a different level of service.

While the law generally follows the same definition of personally identifiable information as other privacy acts, it also applies to data which could trace back to one’s household and not strictly to the individual.

kicker table

What Does the California Data Privacy Law Mean for Businesses?

Of course, given the borderless nature of the law, businesses throughout the United States and around the world will need to spend time and resources examining their use of data, as well as building in the appropriate notifications and consent mechanisms. That’s no small task.

Read more

However, beyond the logistics of complying with the CCPA, it’s important to consider that California is only one of 50 states, and, of course, the United States is one of many countries worldwide. This means there is potential for businesses to be responsible for compliance with multiple data privacy laws at a time, each with its unique set of rules, fines and processes.

Eventually, it is expected that a United States federal law will be enacted that would supersede state-level laws, helping to ease this confusion. At this time, however, there is no such nationwide data privacy law, so businesses need to stay abreast of data privacy laws in each state and respond accordingly.

Make compliance easier with OTRS.