The California Consumer Privacy Act of 2018 (CCPA) introduces data protection to California. In this post we will answer the frequently asked questions so that you are prepared for the new legislation and know your next steps.

It will be interesting to see if other states in the US will follow California’s example. There is even discussion about a federal data protection legislation for the United States.

There is a website for you to easily access the full text of the CCPA: www.consumerprivacyact.com

GDPR lite?

The CCPA is a law ruled by opt out. It only gives some rights to consumers to gain decision rights over the data companies have already collected. The GDPR, in comparison, gives the people protection rights and is based on the fundamental right to privacy. That is why the CCPA is sometimes called “GDPR lite”. However, there are some differences between these pieces of legislation that need to be looked at closely.

Do I need to comply with the CCPA?

First, it is important to look at the territorial scope. You don’t need to read this post further if you realise that you don’t actually need to comply with the Act.

The CCPA applies to businesses that collect personal information of Californian residents. This means the scope is extra-territorial and you are not off the hook just because you don’t have any physical presence or base in California.

Still, there is some good news. You only have to comply if your company is rather big and for-profit. The CCPA only applies to businesses that satisfy at least one of the following thresholds:

  • Annual gross revenue over $ 25 million;
  • Handling (buying, selling, etc.) personal information of more than 50 000 Californian consumers, households, or devices annually; or
  • At least 50% of annual revenue is selling Californian consumers’ personal information.

When does the California Consumer Privacy Act commence?

The California Consumer Privacy Act commenced on 1 January 2020. The enforcement, however, will only start on 1 July 2020. That means the CCPA deadline is really 1 July 2020.

If you have to comply with CCPA, now is the time to act

The Californian Attorney General introduced a proposed text of regulations which will detail the measures and procedures introduced by the CCPA. The final text should be published by July 2020 the latest.

I comply with the GDPR, isn’t that enough?

Even though there are similar requirements between CCPA and GDPR, they are not completely identical. Amongst other things, CCPA introduces very specific data protection procedures. It is therefore necessary to review the data protection measures of your company and train your staff.

Just one example, which will be easy to implement, is the requirement in Section 135 of the CCPA to offer a “Do not sell my personal info”-button on your website. If you sell personal information, you need to provide a visible button with that exact wording to enable Californian consumers to opt-out. The GDPR rights stated in your privacy policy would not suffice.

What are the penalties for non-compliance?

The Attorney General of California can enact a penalty of 2 500 USD for each violation and 7 500 USD for each intentional violation of the Act. The CCPA does not state a maximum amount. Therefore, violations of data protection can add up quickly, which leads to a high financial risk for non-compliance.

Additionally, Californian consumers can exercise a private right of action. They can claim damages of 100 to 750 USD or actual damages whichever is bigger. However, the business does have the right to remedy a violation within 30 days to prevent a private action.

We can help you

If you need assistance with CCPA compliance, we are there to help you

Useful resources