What UK CISOs need to know about the California Consumer Privacy Act

UK businesses with operations in California or that deal with residents of California may be subject to CCPA. Compliance with GDPR is not enough.

California Consumer Privacy Act  / CCPA  >  State flag superimposed on map and satellite view
GGuy44 / Skegbydave / Getty Images

Known as the “toughest data privacy law in the United States,” the California Consumer Privacy Act (CCPA) grants California residents greater rights over their data and expectations that organisations will protect their personal information. Likened to the GDPR in the EU, the CCPA offers potentially expensive punishments to those that fail to meet the requirements and has extra-territorial reach. It can apply to UK organisations that have operations in California or deal with the personal information of California residents.

What is the CCPA and to whom does it apply?

Passed in June 2018, the CCPA is a state law designed to provide enhanced privacy rights and data protection for California residents. Similar to the GDPR and Data Protection Act 2018 in the UK, it enables data subjects to know what personal data is being collected and whether it is being passed on to third parties, allows them the opportunity to opt-out of data collection, and provides the right to be forgotten.

Personal information under the CCPA includes;

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers

To continue reading this article register now

Microsoft's very bad year for security: A timeline