• Home
  • Privacy


Understanding the California Consumer Privacy Law

California is yet again leading a wave of progressive reform, this time in the realm of data privacy. On January 1, 2010, the California Consumer Privacy Act (CCPA) will go into effect. The Act brings with it a massive set of privacy regulations which will seriously impact U.S. businesses.

The primary focus of the legislation is to give consumers the ability to ask companies to disclose which personal information they have collected about them. And if the consumer desires to delete that data, or forbid a company from sharing it, they now have the right. That process will be easier than ever, meaning that consumers will just need to call a phone number or navigate a user-friendly website to clear their name. And customers that opt to delete their data or safeguard it from data sales cannot be penalized or charged higher prices for doing so. The law has already been amended in several ways, and will likely continue to change before it goes into effect.

While the legislation is only passing in the state of California, it will have a massive ripple effect on businesses nationwide. Most large companies have to do business in California, so their compliance methods are more than likely to spread to other states by default. Plus, it’s an opportunity for corporations to win brownie points for adapting progressive policy, even if it’s by force. Any company that makes data sales a core part of their business will be affected by the legislation. More specifically, that means that any business which either makes more than $25 million annually on data sales, holds data on more than 50,000 consumers, or makes more than half of their revenue through data sales.

As far as which data can be deleted through these soon-to-be-implemented processes, the list is fairly vast in scope. It includes geolocation information, biometrics, browsing data, purchase history, academic and employment information. It’s also common practice for data brokers and other various companies to make inferences based off this data, creating a consumer profile for targeting purposes. Fortunately that profile can also be deleted upon request. This change will undoubtedly have a significant impact on how businesses operate in the state of California. The learning curve for companies, especially small ones, will be significant. Progressive change requires this kind of education, however, and that struggle will push the United States in the right direction.

The penalties for failing to comply with these regulations will vary from case to case. The CCPA calls for penalties of up to $7,500 for intentional violations of the law. Individual consumers, however, can sue a negligent company for anywhere between $100 to $750 if their data is breached. That sum may seem fairly low, but in the event of a breach it could be multiplied by millions. As is, the law requires California’s Attorney General to enforce these penalties. It goes without saying that the AG office will need more resources to police the law, and the logistics of that operation are actively being sorted out. All in all, it’s a tremendous step forward even if it’s not as harsh or far-reaching as it could be. And hopefully it will inspire the national legislature to kick into gear and pass a stronger version across the United States.

Was this insight helpful? Leave us a comment below.