White Paper – California's Consumer Privacy Act: Three requirements for effective compliance

Published: September 2019

The California Consumer Privacy Act of 2018 (CCPA) removes the bar on discovery by granting California residents unprecedented access to their data held by companies. Much like the GDPR, the law reaches outside California’s law-making jurisdiction to affect a great number of organizations who hold the data of California residents ranging from consumers to an organization’s own employees.

Perhaps the greatest threat companies face under the CCPA are data access demands from residents and forthcoming litigation driven by the plaintiffs’ bar. Unlike the GDPR, which specifically applies to information that directly or indirectly identifies the consumer, CCPA applies to any data that can be directly or indirectly associated with a consumer or household, a much broader definition of personal information.

Consequences for non-compliance are extreme – legally, financially, and reputationally. Perhaps the greatest threat companies face under the CCPA are data access demands from residents and litigation that will be driven by the plaintiffs’ bar.