Policies first

Q&A on the CCPA: Understanding California’s New Data Privacy Law

7 minutes reading

by by Laura Pendleton

The new decade brings many challenges and changes to business by introducing a data security law that is the first of its kind stateside: the California Consumer Privacy Act (CCPA).

As of January 1st 2020, the CCPA is in effect for all businesses serving California residents. Companies have had to put in the time neccessary to reorganise both their stored data and processes to ensure they comply with the new rules. But if you’re new to the law and have questions, don’t panic. We’ve done our best to answer them here. 

I missed the January 2020 deadline! What should I do now? 

Underprepared companies can find themselves subject to fines and penalties issued by data owners (individuals, who are accountable for data assests). These fines must be paid and rectified within 30 days. These penalties are retroactive for 12 months, meaning that your company could potentially face repercussions from mishandled data from up to a year prior. However, it may take some time before the law is formally enforced in its entirety. Regardless, it’s imperative that you assess where your company stands with data privacy policies. You must create a map of all the information your company stores and identify which will need to conform to CCPA regulations. And, once you feel that your company has achieved compliance, there are likely to be more modifications and updates needed to remain in good standing. Generally, businesses should understand CCPA compliance as an ongoing process rather than an isolated achievement.

What are the main components of the CCPA? 

The CCPA gives California residents the right to know what personal data is being collected from them and whether it is sold or sent to anyone. In this case, they are able to opt out of the sale of their personal data as well as request access to it at any given time. They are protected by their own privacy rights, which means they can go as far as to request the deletion of their personal data, no questions asked. 

Is CCPA less restrictive than GDPR?

In some ways, yes. The CCPA has less stringent conditions for handling data than GDPR. For example, CCPA does not require companies to report a security breach within a narrow 72-hour window like GDPR does. However, the CCPA has a broader definition of what exactly counts as “private data” and presents a bigger challenge to IT specialists in identifying and securing that data. The law also allows consumers greater access to their personal information, which can be a challenge for companies to compile on an individual basis since many data sets are scattered across multiple storage platforms with varying permissions. Also, tracking systems must include all data from the past 12 months, as the law gives consumers the right to request access to data from the entire past year.

What do GDPR and CCPA have in common?


Since it is a California law, does that mean it doesn’t apply to businesses based in Europe?

If you deal with clients and companies that serve California residents, you must comply with the CCPA. For some reason, the new law has not been made widely known to business leaders around the world.

Around 44.2% of business leaders surveyed by ESET in 2019 still hadn’t heard of the CCPA. So it is imperative that you take action to protect your company from scandals and lawsuits. Companies responsible for compliance don’t have to be based in California, or even the United States. If they interact with California residents, they fall under the conditions of the law. Additionally, if they have personal data on a minimum of 50,000 people, earn over half of their revenue from selling personal data, or have annual gross revenues above $25 million, they are also included. 

What is the new California Consumer Privacy Act?

Is it difficult to comply?

The good news is if you have already taken the necessary steps to comply with GDPR, you’re off to a good start to becoming compliant with CCPA. The smaller steps require you to adjust your company’s privacy policy and include data consent information on your webpages. The trickier parts come with establishing the necessary processes for consumers to request, access, change, and erase their personal data. Many companies have outsourced some of these tasks to third-party officers responsible for making sure the data gets properly categorised and secured. These individuals are also able to conduct employee trainings on crucial CCPA compliance requirements so that you can focus on organisational needs.

How should a business deal with users who make data-related requests?

First, it is your responsibility as a business to create the means for users to submit requests regarding their personal data. Your website should include the necessary contact information as well as an application for formally submitting requests. On top of that, you must have a way of validating the identity of the user to avoid putting personal data into the wrong hands. If a business is unable to confirm the identity, a written explanation must be provided in order to stay transparent and accountable in the eyes of the CCPA. Some larger companies, like Google, are taking steps to offer service provider guidance to help partners comply with CCPA. So be sure to check if you qualify.


Are data privacy laws here to stay?

Many believe that the CCPA is just the beginning for data privacy laws in the U.S. Other states are expected to follow suit and create their own laws modelled on the CCPA. Critics often point to the financial burden placed on companies that must revamp and change processes in order to comply with regulations. The Standardized Regulatory Impact Assessment (SRIA) estimates that the CCPA will cost businesses $55 billion in total, with many businesses failing to achieve total compliance due to the act’s complexity. Because of this, some say that simply enacting new laws will not get to the root of the problem. Companies dealing with data feel entitled to its unrestricted use, regardless of the consequences to both they and their customers. It will take some time before society’s mindset toward internet safety takes a turn for the better. Despite this, the foundation is currently being laid by laws like the CCPA and GDPR, which put the consumer first.

Get your content

Click here to read our Privacy Policy.