White Paper – Top 5 Operational Impacts of the California Consumer Privacy Act of 2018

Published: January 2019

The California Consumer Privacy Act of 2018 was conceived and born in record time — not exactly “two days,” as the story goes, but close — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity. While there may yet be amendments, and indeed there have already been one set of amendments pushed through in the fall of 2018, this e-book is intended to help privacy professionals make operational sense of the law in its current form, understanding that the California legislature may tinker a bit before the law takes effect in January 2020.

The chapters that follow begin with the most basic of questions — “Do I fall under the law’s scope?” — and then move through a variety of operational obligations, from transparency to fulfilling access and erasure requests to making the California Attorney General happy and avoiding enforcement actions.

As we wrote these pieces, we tried to focus as much as possible on those aspects of the law most likely to change the way you think about your privacy program. What new systems might you need to install? Where might you need more personnel? What new risk do you need to account for? We have based the organization on our successful “Top 10 Operational Impacts of the GDPR” and “Top 10 Operational Responses to the GDPR” e-books, which have now been downloaded more than 100,000 times from iapp.org and we hope you find this e-book similarly useful.

As always, this work is based on our own research, on crowd-sourced information from our surveys of members, and, importantly, on interviews with leading experts on the CCPA (as it’s now being called). Hopefully, you find here information you can use to formulate practical, real- world responses to what is perhaps the most all-encompassing privacy regulation ever passed at the state level.