Skip to content

California Consumer Privacy Act

Feb 7, 2020

The California Consumer Privacy Act (“CCPA” or the “Act”) took effect on January 1, 2020.  The Act gives California residents the right to know what personal data of theirs companies collect, use, share or sell.  The law covers a wide range of data including names, addresses, Social Security numbers, passport numbers, email addresses, internet browsing histories, purchasing histories, personal property information, health information, professional or employment information, and educational records.[1]  It also allows the state’s residents to ask companies to delete their data and not sell it. CCPA applies to companies that collect consumer data, do business in California, and fall under one of the following three thresholds[2]:

  • Annual gross revenue over $25 million.
  • Access to personal information of more than 50,000 people.
  • 50% or more in annual revenue from selling consumer personal information.

The obligations for companies as related to the Act are summarized below:

  • Providing consumers with a report which can be performed by “data mapping” that is continually updated to provide the following information:[3]
    • Categories of personal data being collected;
    • Sources from which the company obtains personal information;
    • Specific personal information the company has;
    • Reasons the company collects personal information;
    • Third parties with whom business has shared personal information; and
    • Who at the company has access to the information.
  • Making it easy for consumers to exercise their rights under the Act, such as by providing a link on the organization’s website or access to a toll free 800 number.
  • Responding within specific time frames (45 days for deletion of personal data) to requests made by consumers under the Act.
  • Keeping records of all requests made under the act and how they responded.
  • Updating privacy policy as it relates to the Act.
  • Verifying the identity of consumers making requests under the Act.
  • Ensuring reasonable security measures have been implemented, both physical and electronic, to safeguard the personal information of employees and job applicants.

Even though the CCPA went into effect on January 1, 2020, the California Legislature has allowed a six- month grace period before enforcement.  As the CCPA begins to take hold in California, the natural question is: Will other states follow?  Currently, nine other states are considering similar laws and Maine and Nevada have passed narrower versions of the privacy legislation. Five other states have tabled new privacy rules, and instead created task forces that will study how to regulate data privacy.[4] Given the CCPA and expected changes to come in other states, many companies are extending the CCPA to all states in which they operate.

After the CCPA passed, many companies voiced concerns that they would soon need to comply with 50 different privacy laws.  As such, the argument that it would be more effective – and certainly more straightforward – to pass a single, federal privacy law that applies to all states equally has been gaining momentum.  Currently, a number of federal-level privacy bills have already been proposed, including the following:

  • The Data Care Act of 2019, which was introduced on December 2, 2019 by U.S. Senator Brian Schatz, (D, HI) and 16 other sponsors. The bill has not yet moved beyond the Senate Committee on Commerce, Science, and Transportation.[5]
  • In November 2019, the Senate Democrats introduced a Consumer Online Privacy Rights Act (COPRA) digital privacy bill that would push for a federal privacy law and would strengthen the Federal Trade Commission’s (FTC’s) ability to enforce digital privacy protections.[6]
  • Most recently, Senator Marco Rubio (R, FL) has proposed the American Data Dissemination Act, a much less rigorous privacy law that would ask the FTC to recommend rules and regulations that Congress would finalize, rather than giving it the authority to create regulations.[7]

If any of the above becomes federal law, it will most certainly need to garner broad support and satisfy a range of competing interests.  So is the CCPA setting the standard for other states or federally?  Time will tell, but it seems likely that a new generation of privacy legislation across the United States is on its way.[8]  The rest of the United States is watching California closely, scrutinizing the amendments that are passed, and modifying their own legislation accordingly.

[1] AP, “California consumer privacy law can affect businesses across U.S. starting January 1,” CBS News, December 18, 2019. 

[2] Quartararo, Mike, “Challenges of the California Consumer Privacy Act,” Above The Law, October 29, 2019

[3] Usama, Kahe, Ebbink, Benjamin, “California’s Groundbreaking Privacy Law Amended: What Do Employers Need To Know?” Fisher Phillips, October 12, 2019.

[4] Hautala, Laura, California’s new privacy rights could come to your state, too”,  cnet, January 3, 2020

[5] Sentence, Rebecca, “How has the California Consumer Privacy Act (CCPA) changed data privacy in the US?”, Econsultancy, June 18, 2019

[6] Feiner, Lauren, “Senate Democrats reveal new digital privacy bill that would strengthen the FTC’s enforcement powers over tech companies”, CNBC, November 26, 2019

[7] Reints, Renea, “Marco Rubio Introduces Privacy Bill to Create Federal Regulations on Data Collection”, Fortune, January 16, 2019

[8] Sentence, Rebecca, “How has the California Consumer Privacy Act (CCPA) changed data privacy in the US?”, Econsultancy, June 18, 2019

PRTS Intelligence Newsletter - Q4 2020

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.