What is the California Consumer
Privacy Act?

By continuing to use this site, you agree to the use of cookies. More information. Accept

04/02/2019 |

What is the California Consumer
Privacy Act?

Last year, the EU implemented the GDPR, countries around the world
began implementing their own data protection laws, as did
the United States with the CCPA.

The California Consumer Privacy Act is one among many data privacy laws that aims to hold companies like Google and Facebook accountable when they stretch the limits of data collection and usage ethics.

Why do I call out Google and Facebook? Just last week, Apple rescinded Facebook and Google’s rights to publish to their developer app platform because the two tech giants were violating Apple’s privacy policy. They had both been promoting an app through Apple’s AppStore that was designed to collect information about which websites or apps people use and what people are doing online. Users, including teens, were lured into installing the apps because financial incentives were offered. On the surface, this may have seemed like “easy money” to users, but the reality is that their devices were essentially being spied upon – and the question remains as to how much users really knew about the amount of data that was being collected and what could be done with it.

It's time for situations like this to come to an end, and that's exactly what the recent onslaught of data privacy laws is trying to accomplish.

It’s time for situations like this to come to an end, and that’s exactly what the recent onslaught of data privacy laws is trying to accomplish – and, of course, these don’t simply apply to Google and Facebook. Last year, the EU implemented the most stringent data protection law in the world, known as the General Data Protection Regulation (GDPR). Countries around the world took it to heart and began passing their own related legislation. In the United States, several states implemented data privacy laws too: the California Consumer Privacy Act (CCPA) was one of these.

CCPA vs. GDPR

The California Consumer Privacy Act was enacted by the state of California in 2018 and is expected to be put into effect by January 2020. What makes this particular law significant among the 50 data privacy laws that exist within the United States (each state currently has its own) is that it is the most stringent.

Because of this, people often equate it to GDPR. While different in many ways, the law does embrace three key tenants of the GDPR:

  1. It is not bound by physical geography; rather, it applies to companies that do business with residents of California. This means that a company could be in Canada or Australia. If they process data belonging to California citizens, the law will apply.
  2. Fines can be levied when companies do not comply. CCPA fines can be up to $7,500 per violation. With GDPR, this can be 20 million euro or 4% of annual worldwide revenue.
  3. It establishes the fact that people have rights with regard to their data. Both the CCPA and GDPR view data as something that is personal and which belongs to an individual. As such, individuals are given rights concerning what data is collected, how it may be used, and how it may be accessed.

However, the two privacy laws are not mirrors of one another. There are many differences including the specifics of rights that are granted to individuals, how certain terminology is defined, what the fines are, how and when fines can be assessed and who is subject to the laws.

Because the two laws aren’t aligned, it can be frustrating for businesses. Many companies just recently invested countless hours and dollars in order to comply with GDPR: these businesses must now consider an entirely different set of criteria under CCPA.

And quite honestly, as businesses, we have a responsibility to simply do the right thing without being sneaky about it.

Controversy Over the California Consumer Privacy Act

And that frustration is not the only controversy surrounding CCPA. CCPA was signed into law very quickly. At the time when the bill was presented, the Cambridge Analytica scandal was quite recent, so people in the state of California were actively demanding protection. In this climate a ballot initiative had been proposed by a consumer group that would have been voted on in a statewide election in November 2018. This initiative was more strict than CCPA. In an effort to make sure that this did not succeed, the California Consumer Privacy Act was proposed and hurried through the legislative process.

The haste with which the law was crafted has left room for uncertainty about its intent and how to comply with the law. Specifically, businesses continue to battle questions like:

  • What will the impact be on small businesses?
  • What unique needs do various industries have that will make it difficult, if not impossible, to comply? Have these been taken into account?
  • Does it make sense for businesses to be forced to comply with multiple, sometimes conflicting, data privacy laws?
  • What exactly are the definitions of things like consumers, personal information, households, sales, service provider and third parties?
  • Was it created in such a way that consumer data is truly more protected?

So, confusion and concern remain. In the course of the next year, it’s likely that the law will be repeatedly amended to make it more clear and efficient for all.

California Consumer Privacy Act Compliance Remains Crucial

That said, whether CCPA is implemented as-is or in some drastically different form, compliance with data privacy laws will now be a never-ending quest for business leaders. Whether your business is beholden to GDPR, CCPA or any other data privacy law, you certainly don’t want to be in the position of answering questions about things like Google and Facebook’s recently-banned apps. And quite honestly, as businesses, we have a responsibility to simply do the right thing without being sneaky about it.


Part of being in compliance with data privacy laws, much like any other law or guideline, is ensuring that your processes are well documented and are being followed. To learn more about using OTRS to streamline and simplify compliance efforts, click here.

Text:
Photos: Sean Pollock on Unsplash

Share the Story