Skip to content

California Consumer Privacy Act

Published
Feb 7, 2020
Share

The California Consumer Privacy Act (“CCPA” or the “Act”) took effect on January 1, 2020.  The Act gives California residents the right to know what personal data of theirs companies collect, use, share or sell.  The law covers a wide range of data including names, addresses, Social Security numbers, passport numbers, email addresses, internet browsing histories, purchasing histories, personal property information, health information, professional or employment information, and educational records.[1]  It also allows the state’s residents to ask companies to delete their data and not sell it. CCPA applies to companies that collect consumer data, do business in California, and fall under one of the following three thresholds[2]:

  • Annual gross revenue over $25 million.
  • Access to personal information of more than 50,000 people.
  • 50% or more in annual revenue from selling consumer personal information.

The obligations for companies as related to the Act are summarized below:

  • Providing consumers with a report which can be performed by “data mapping” that is continually updated to provide the following information:[3]
    • Categories of personal data being collected;
    • Sources from which the company obtains personal information;
    • Specific personal information the company has;
    • Reasons the company collects personal information;
    • Third parties with whom business has shared personal information; and
    • Who at the company has access to the information.
  • Making it easy for consumers to exercise their rights under the Act, such as by providing a link on the organization’s website or access to a toll free 800 number.
  • Responding within specific time frames (45 days for deletion of personal data) to requests made by consumers under the Act.
  • Keeping records of all requests made under the act and how they responded.
  • Updating privacy policy as it relates to the Act.
  • Verifying the identity of consumers making requests under the Act.
  • Ensuring reasonable security measures have been implemented, both physical and electronic, to safeguard the personal information of employees and job applicants.

Even though the CCPA went into effect on January 1, 2020, the California Legislature has allowed a six- month grace period before enforcement.  As the CCPA begins to take hold in California, the natural question is: Will other states follow?  Currently, nine other states are considering similar laws and Maine and Nevada have passed narrower versions of the privacy legislation. Five other states have tabled new privacy rules, and instead created task forces that will study how to regulate data privacy.[4] Given the CCPA and expected changes to come in other states, many companies are extending the CCPA to all states in which they operate.

After the CCPA passed, many companies voiced concerns that they would soon need to comply with 50 different privacy laws.  As such, the argument that it would be more effective – and certainly more straightforward – to pass a single, federal privacy law that applies to all states equally has been gaining momentum.  Currently, a number of federal-level privacy bills have already been proposed, including the following:

  • The Data Care Act of 2019, which was introduced on December 2, 2019 by U.S. Senator Brian Schatz, (D, HI) and 16 other sponsors. The bill has not yet moved beyond the Senate Committee on Commerce, Science, and Transportation.[5]
  • In November 2019, the Senate Democrats introduced a Consumer Online Privacy Rights Act (COPRA) digital privacy bill that would push for a federal privacy law and would strengthen the Federal Trade Commission’s (FTC’s) ability to enforce digital privacy protections.[6]
  • Most recently, Senator Marco Rubio (R, FL) has proposed the American Data Dissemination Act, a much less rigorous privacy law that would ask the FTC to recommend rules and regulations that Congress would finalize, rather than giving it the authority to create regulations.[7]

If any of the above becomes federal law, it will most certainly need to garner broad support and satisfy a range of competing interests.  So is the CCPA setting the standard for other states or federally?  Time will tell, but it seems likely that a new generation of privacy legislation across the United States is on its way.[8]  The rest of the United States is watching California closely, scrutinizing the amendments that are passed, and modifying their own legislation accordingly.

[1] AP, “California consumer privacy law can affect businesses across U.S. starting January 1,” CBS News, December 18, 2019.
https://www.cbsnews.com/news/california-consumer-privacy-law-can-affect-businesses-across-u-s-starting-january-1/ 

[2] Quartararo, Mike, “Challenges of the California Consumer Privacy Act,” Above The Law, October 29, 2019
https://abovethelaw.com/2019/10/challenges-of-the-california-consumer-privacy-act/

[3] Usama, Kahe, Ebbink, Benjamin, “California’s Groundbreaking Privacy Law Amended: What Do Employers Need To Know?” Fisher Phillips, October 12, 2019.
https://www.fisherphillips.com/Employment-Privacy-Blog/CCPA-Amendments-Affecting-Employers-Doing-Business-In-California

[4] Hautala, Laura, California’s new privacy rights could come to your state, too”,  cnet, January 3, 2020
https://www.cnet.com/news/californias-new-ccpa-privacy-rights-could-come-to-your-state-too/

[5] Sentence, Rebecca, “How has the California Consumer Privacy Act (CCPA) changed data privacy in the US?”, Econsultancy, June 18, 2019
https://econsultancy.com/california-consumer-privacy-act-ccpa-changed-data-privacy-united-states/

[6] Feiner, Lauren, “Senate Democrats reveal new digital privacy bill that would strengthen the FTC’s enforcement powers over tech companies”, CNBC, November 26, 2019
https://www.cnbc.com/2019/11/26/senate-democrats-reveal-new-copra-digital-privacy-bill.html

[7] Reints, Renea, “Marco Rubio Introduces Privacy Bill to Create Federal Regulations on Data Collection”, Fortune, January 16, 2019
https://fortune.com/2019/01/16/marco-rubio-data-collection-bill/

[8] Sentence, Rebecca, “How has the California Consumer Privacy Act (CCPA) changed data privacy in the US?”, Econsultancy, June 18, 2019
https://econsultancy.com/california-consumer-privacy-act-ccpa-changed-data-privacy-united-states/

PRTS Intelligence Newsletter - Q4 2020

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Explore More Insights

engineering drawing
Article

CFIUS Proposes Enhanced Review Procedures and Increased Penalties for Violations

Read More
a building with a tree growing on the roof
On-Demand Webinar

Navigating the SEC Climate Disclosures | Insights and Strategies

Read More
a laptop and a phone on a table
Article

Material Weakness in Internal Controls: The Real Impacts

  • SOX Compliance
Read More
a person using a phone
Article

The Critical Role of Risk Assessments for Public Companies

  • SOX Compliance
Read More
a close-up of a key chain on a keyboard
Article

The Evolving Landscape of Data Privacy in Higher Education

Read More
diagram
Podcast

Learning and Leveraging AI with Jordan Wilson

  • Artificial Intelligence
Read More
a group of computer servers
On-Demand Webinar

IRS Enforcement of Digital Assets is on the Rise | Tax Guidance and Expectations

  • Tax
Read More
diagram
Podcast

The Art of Organizational Change w/ Ahmad Fahmy

Read More
chart
Article

Identity Access Management

Read More
a person in a garment holding a gun
Article

Organizational Risk to Using Generative AI: Hallucinations in LLM Chatbots

  • Artificial Intelligence
Read More
a close-up of a computer
Article

Eight Key Takeaways from Workiva Amplify 2023

Read More
a light bulb on a table
Article

Customer Service Redefined with Conversational Artificial Intelligence

  • Artificial Intelligence
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe