California Consumer Privacy Act

California Consumer Privacy Act

California Gov. Jerry Brown signed into law June 28, 2018, a landmark privacy bill that is being compared to the EU General Data Protection Regulation for its overarching approach and strong privacy protections as well as the potential impact it may have on businesses around the world.



OneTrust_PrivacyConnect_H2 ads_square_green_300x250_20180709_

The law and official documents

The California legislature on August 24, 2018, published agreed amendments to the originally passed CCPA to address concerns voiced by industry and consumer groups alike. 

California Consumer Privacy Act of 2018

Assembly Bill No. 375 CHAPTER 55 An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy.   [ Approved by Governor  June 28, 2018. Filed with Secretary of State  June 28, 2018. ] LEGISLATIVE COUNSEL'S DIGEST AB 375, Chau. Privacy: personal information: businesses. The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and r... Read More

Though lawmakers and others are already discussing amending the law prior to its Jan. 1, 2020, effective date, as passed the law would make it so:

  • Consumers have the ability to request a record of what types of data an organization holds about them, plus information about what’s being done with their data in terms of both business use and third-party sharing.
  • Businesses will have to have a verification process so consumers can prove they are who they say they are when they do their requesting.
  • Consumers have a full right to erasure, with carve-outs for completion of a transaction, research, free speech, and some internal analytical use.
  • Organizations will have to disclose to whom they sell data, and consumers will have the ability to object to the sale of their data. Businesses will have to put a special “Do Not Sell My Personal Information” button on their web sites to make it easy for consumers to object.
  • Sale of children’s data will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that.
  • Organizations cannot “discriminate against a consumer” based on the exercising of any of the rights granted in the bill. For example, you can’t provide a different level or quality of service based on a consumer objecting to the sale of their data. However, organizations could offer higher tiers of service or product in exchange for more data as long as they’re not “unjust” or “usurious.”
  • A covered “business” is defined as any for-profit entity that either does $25 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
  • The law would be enforced by the Attorney General and create a private right of action for unauthorized access to a consumer’s “nonencrypted or nonredacted personal information.” Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation (which could be per record in the database, for example).
  • Finally, the law protects any “consumer,” defined as a “natural person who is a California resident,” which is defined as “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”


CCPA amendments clarify exemptions and fix some technical errors, but significant work remains

Sixty-four days after the California Assembly and Senate hastily passed the landmark California Consumer Privacy Act of 2018, the legislature passed SB 1121, which it termed a “technical corrections” bill. Next year, the legislature or the Attorney General’s Office must still grapple with a large number of drafting errors, as well as several practical problems and constitutional vulnerabilities in the CCPA.   In fact, SB 1121 is very short on technical corrections. It clarifies only a handful o... Read More

Calif. legislature approves first CCPA amendments, governor up next

My article last week discussed proposed technical amendments to the California Consumer Privacy Act in Senate Bill 1121. The bill ran into political headwinds and was not passed until late on Friday, the last day of the California legislative session. The amendments now go to Governor Brown for signature. During the past week four more amendments were added to the law now before Governor Brown: As requested by the California Attorney General, the proposed law now removes the “gatekeeping” fu... Read More

California legislature publishes CCPA amendments; vote scheduled for this week

Late last week California legislative leaders published their agreed technical amendments to the California Consumer Privacy Act of 2018. These amendments followed almost two months of intense lobbying by leading industry and consumer groups alike. Both groups want to see more changes, but consideration of those requests is now likely deferred until the legislature begins its new session in January 2019. While technically a small chance remains for additional changes to be made this week, observ... Read More

Analysis: The California Consumer Privacy Act of 2018

Broad data and business regulation, applicable worldwide As of January 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies have to observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and liquida... Read More

Top 5 Operational Impacts of the CCPA

The California Consumer Privacy Act of 2018 was conceived and born in record time — two days — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity. This five-part series is intended to help privacy professionals make operational sense of the law in its current form, understanding that the California legislature has time before the law takes effect in January 2020 to clarify and amend the statute. Part 1: Determining i... Read More

GDPR matchup: The California Consumer Privacy Act 2018

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In this installment, Lydia De La Torre, CIPP/US, compares the new California Consumer Privacy Act 2018 to the GDPR. We all found out the results of the World Cup July 15, but there is a different matchup i... Read More

Web Conference: Understanding the California Consumer Privacy Act of 2018

Purchase Now Originally broadcast: Tuesday, July 10, 2018 What exactly does the law call for? How is a “California resident” defined, and which organizations will be affected? What are the penalties for non-compliance, and does it provide for a private right of action? Join us for a virtual discussion featuring some of the best privacy law experts on the West Coast, and learn the answers to these questions and more while getting the chance to ask your own. You’ll hear about the provisions of ... Read More

Unraveling the latest in the data protection juggernaut: What does the California Consumer Privacy Act mean for employers?

With the May 25 effective date of the European Union’s General Data Protection Regulation barely in the rear-view mirror, California’s Governor Jerry Brown, on June 28 signed into law the California Consumer Privacy Act of 2018. The law flashed onto the scene after a concerned and wealthy California citizen funded, and obtained the approval of, a ballot initiative for a similar law to be placed on the November 2018 electoral ballot. The initiative’s backer used that approval as leverage in the w... Read More

Will the CCPA's originators regret their deal with Calif. legislature?

The day the California Consumer Privacy Act of 2018 was passed, Alastair Mactaggart's kids, ages 7, 6 and 4, got ice cream for dessert. On a weeknight. That never happens. Dessert is only for weekends in Mactaggart's Bay Area home. But this was a really big deal. A landmark privacy bill had passed California's legislature, one that never would have passed without a grassroots effort by three obscure civilians, Mactaggart as the financier, who felt it was time consumers had more control over thei... Read More

The Privacy Advisor Podcast: On why the CCPA is bad law and suing Kanye West

What we know about attorney Jay Edelson to date: He loves beach volleyball so much that he had a court installed at his Chicago law firm so he and his crew could blow off steam. The New York Times refers to him as Silicon Valley's "baby faced boogeyman" for his aggressive court takedowns of tech behemoths. And he's got a very firm grasp on the global privacy and data protection legislative landscape. In this episode of The Privacy Advisor Podcast, Edelson talks about his latest legal pursuits, i... Read More

CyberSideChat with Morrison Foersters’s Andrew Serwin, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM

Compliance help

A starting point for CCPA compliance, despite the unknowns

Implementing the California Consumer Privacy Act of 2018 will take time, and organizations should start evaluating exposure and designing compliance plans now. There are many open questions, but that does not mean you can’t conduct an initial assessment that enables you to start planning for the resources you will need during 2019. This article outlines a pragmatic four-step approach to how to assess your exposure to the CCPA by identifying what entities in your group will be subject to the act ... Read More

Top 5 Operational Impacts of the CCPA

The California Consumer Privacy Act of 2018 was conceived and born in record time — two days — resulting in a comprehensive consumer privacy law that occasionally suffers from redundancy, drafting errors, and lack of clarity. This five-part series is intended to help privacy professionals make operational sense of the law in its current form, understanding that the California legislature has time before the law takes effect in January 2020 to clarify and amend the statute. Part 1: Determining i... Read More

How we got here

CCPA came about largely due to the efforts of a San Francisco real estate mogul who endeavored to improve the protection of California consumers’ personal information. Alastair MacTaggart championed and funded an initiative to get a similar bill put on the ballot, receiving more than 600,000 signatures — significantly more than necessary (though they were never officially certified).

Just days before the signatures were to be certified, California Democrats made an agreement with Mactaggart that if they could get a compromise bill signed into law prior to the deadline to get the initiative on the ballot he’d pull his version. In Mactaggart’s words, the proposed bill is “substantially similar to our initiative … It gives more privacy protection in some areas, and less in others.”

For their part, tech industry giants — some of which spent lots of money to oppose Mactaggart’s ballot initiative — announced they would not attempt to block the compromise bill, noting that while they disagree with much of it, it prevents the ballot initiative from moving forward.

It came down to the wire, but just hours before the close of session on June 28, 2018, Gov. Brown signed CCPA into law.   

California passes landmark privacy legislation

In a last-minute action, just a few hours before a looming deadline Thursday afternoon, the California legislature passed AB 375, the California Consumer Privacy Act of 2018. As a result of its passage, Alastair Mactaggart, the man behind a November ballot initiative to pass a similar law, has agreed to pull his bill from the ballot. In a news conference held to celebrate the bill’s passage and signature by Gov. Jerry Brown, Assemblymember Ed Chau, who leads the California Assembly’s Privacy Co... Read More

Tech companies pledge not to oppose Calif. privacy bill

The Internet Association, a Silicon Valley lobbying group representing tech companies, such as Facebook, Amazon and Google, announced it will not oppose the internet privacy bill making its way through California’s legislature, MediaPost reports. While the Internet Association disagrees with aspects of the bill, the group prefers it to the law proposed by real estate mogul Alastair Mactaggart, who said he will withdraw his initiative if the current privacy legislation passes and is signed by Thu... Read More

California Legislature reaches tentative agreement on consumer privacy rules

The Los Angeles Times reports California Democrats have reached a tentative agreement with real estate mogul Alastair Mactaggart that would "enact major new consumer privacy rules in exchange for the withdrawal" of a robust privacy initiative that was set to go on the November ballot. According to the report, the deal is "contingent on legislation passing both houses and getting signed by Gov. Jerry Brown" before the June 28 deadline for the finalization of the November ballot. In a statement, M... Read More

California ballot initiative: Speed bump or brick wall?

A California ballot initiative currently gaining momentum through the legislative process has some saying it has the potential to cripple business across the U.S. and would have ramifications, unintended or not, far more reaching than the European Union's newly enacted and expansive data protection law, the General Data Protection Regulation.  The proposal comes from an unlikely candidate: a real estate mogul based in San Francisco. Alastair Mactaggart was casually talking to an engineer at Goo... Read More


While there remain unknowns with the CaCPA, we do know it has the potential to affect millions of businesses worldwide. 

Web con: 'California’s Privacy Law Changes and Its Impact on Brands'

The California Consumer Privacy Act of 2018 will come into effect January 2020, and brand owners will need to pay attention to recent provisions and amendments that have added new compliance requirements. Join the IAPP and the International Trademark Association Nov. 13 for this web conference when privacy professionals discuss the pros and cons of the CCPA and examine potential amendments. Speakers include IAPP Knowledge Manager Dave Cohen, CIPP/E, CIPP/US, Loeb & Loeb Advanced Media & ... Read More

How the CCPA could be great for startups

Let’s face it: There has been a lot of lamenting the California Consumer Privacy Act of 2018's existence. But rather than lament, let’s think about the ways it can have a positive impact. Many people have ridiculed its potential effect on startups, but the CCPA can actually help such companies.  The CCPA's legislative effect We are already seeing the national effect of the CCPA: Only a year ago did federal omnibus privacy legislation seem like a non-starter. Now, it seems like a surety. This d... Read More

New California privacy law to affect more than half a million US companies

The brand-new California Consumer Privacy Act of 2018, which swept through the California legislature last week with startling speed as a compromise measure preempting an even stricter ballot initiative, will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. These figures were derived by an IAPP examination of the language of the law as applied to U.S. census data about American businesses.  The new act, which provides California resid... Read More