• United States



Is California’s Consumer Privacy Act of 2018 going to be GDPR version 2?

Aug 01, 20186 mins

Discussing the California Consumer Privacy Act of 2018, which covers businesses that collect or sell information about California residents. Some view it as the General Data Protection Regulation 2.0.

california on map of western usa 97656788
Credit: Thinkstock

While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue or data collection volume triggers and that collects or sells information about California residents.

Applicability to businesses

The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (“GDPR”).

The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) has annual gross revenues in excess of $25,000,000; (b) annually processes the personal information of 50,000 or more California residents, households, or devices; or (c) derives at least half of its gross revenue from the sale of personal information. Thus, CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.

Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (the “CMIA”) or HIPAA; the sale of information from or to a consumer reporting agency if the information is used as part of a consumer report and used in compliance with the Fair Credit Reporting Act (“FCRA”); and only to the extent CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or to the Driver’s Privacy Protection Act (“DPPA”).

Requirements of CCPA

As currently enacted, the law dramatically increases consumers’ rights of access and control over how their personal information is collected, used, sold and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:

  • Right to Personal Information Collected by Businesses: Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources and business or commercial purposes of that personal information.
  • Right to Erase Personal Information: Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the personal information is no longer needed.
  • Right of Opt-Out: Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information,” link on the business’ home page.
  • Opt-In Requirement for Minors: Businesses are prohibited from selling the personal information of consumers whom the business has actual knowledge are under 16 years old without theirs or their parents’ opt-in consent.
  • Prohibits Waiver and Retaliation by Businesses: Waivers of consumer rights and remedies under CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or charging or suggesting different prices or rates for goods and services.
  • Increased Transparency: Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.


Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules and other regulations necessary to establish compliance or in furtherance of CCPA’s purposes. Technology companies have strongly opposed CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.

The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.

The CCPA also provides a private right of action for consumers whose nonencrypted and nonredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of CCPA could be the basis to assert class actions.

Impact on businesses

Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation of the CCPA’s implementation:

  • Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.
  • Review internal policies and procedures to be able to appropriately respond to consumer’s requests for access, deletion, or information related to the sale or disclosure of their personal information.
  • Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify their identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.
  • Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.
  • Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.
  • Begin preparing training materials and planning for training all personnel who are responsible for handling personal information consumer inquiries.
  • Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with CCPA and conducting those audits through legal counsel to support the position the results are covered by the attorney-client privilege.

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author