CDS Insights


California Consumer Privacy Act (CCPA)

No one is surprised that consumer privacy laws similar to those enacted in the EU would come into law in the United States. While many states have articles on the books dealing with data privacy and all have laws on breach notifications, the California law, which takes effect on January 1, 2020, is the most comprehensive to date. Known as the California Consumer Privacy Act (CCPA), this law aims to ensure California’s citizens personal data privacy.

Under the law, California residents have the following rights:

  • Know what personal data is being collected
  • Know if personal data is distributed and to whom
  • Opt out of the sales of personal data
  • Access to personal data

CCPA is specifically targeted at companies with annual revenues of $25m or more. Also included are companies that distribute the personal information of 50,000 or more consumers or that derive more than 50 percent of their revenue from selling consumer’s personal information. The law only applies to companies doing business with residents of California. An amendment to the law has passed the California legislature and is pending approval by the Governor that looks to remedy problems with the hastily passed original law. The amendment adjusts the financial penalties and changes the effective date to July 1, 2020.

Most event organizers and suppliers understand and comply with the EU GDPR legislation requirements. There is a fair amount of overlap in areas of data handling and breach notification in both the EU and California regulations. The California law also has many differences including informing consumers, data collection, and penalties. On many points, however, the laws differ significantly, and being prepared for GDPR does not ensure compliance with CCPA.

One of the biggest differences between the laws is the notification to consumers regarding what information is collected, how it is used or sold, and the option for consumers to request their information not be distributed before the data is collected. Companies are not restricted from collecting data about consumers.

Other states are starting to follow California’s lead and enact similar legislation. As the patchwork of complicated, state-specific rules grows, the federal government will most likely step-in to enact a countrywide standard and help ease the burden on corporate IT and IS departments that serve customers in multiple states.

Visit the California website explaining the law for more information. As with any legislation that affects the industry and your company, your legal counsel and compliance officer should provide guidance on how to manage the new requirements.

John "JD" Hawley, Chief Technology Officer

Read more posts by author