White Paper – Top 5 Operational Impacts of the California Consumer Privacy Act

Revised: January 2020

The California Consumer Privacy Act was conceived and born in record time — not exactly “two days,” as the story goes, but close — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors and lack of clarity. This white paper is intended to help privacy professionals make operational sense of the law as it takes effect and becomes enforceable in 2020.

The chapters that follow begin with the most basic of questions — “Do I fall under the law’s scope?” — and then move through a variety of operational obligations, from transparency to fulfilling access and erasure requests to avoiding enforcement actions by the California attorney general.

As we wrote these pieces, we tried to focus as much as possible on those aspects of the law most likely to change the way you think about your privacy program. What new systems might you need to install? Where might you need more personnel? What new risk do you need to account for? We have based the organization on our successful e-books “Top 10 Operational Impacts of the GDPR” and “Top 10 Operational Responses to the GDPR” e-books that have now been downloaded more than 100,000 times from iapp.org, and we hope you find this e-book similarly useful.

As always, this work is based on our own research, crowd-sourced information from our surveys of members and, importantly, interviews with leading experts on the CCPA. Hopefully, you will find information you can use to formulate practical, real-world responses to what is perhaps the most all-encompassing privacy regulation ever passed at the state level.

Below, you can view the different parts of this white paper series as originally published by the IAPP.

Part 1: Determining if you’re a business collecting or selling consumers’ personal information
By Rita Heimes, CIPP/E, CIPP/US, CIPM

Part 2: Transparency and notice obligations
By Lee Matheson, CIPP/A, CIPP/E, CIPP/US, CIPM

Part 3: Responding to consumers’ personal information access requests
By Rita Heimes, CIPP/E, CIPP/US, CIPM

Part 4: Rights of erasure, objection to sale, and non-discrimination
By Müge Fazlioglu, CIPP/E, CIPP/US

Part 5: Penalties and enforcement mechanisms
By Nicholas Schmidt, CIPP/US



Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 2

Submit for CPEs