California Consumer Privacy Act 2020 Explained

California Consumer Privacy Act

The CCPA goes into effect on January 1st 2020, the California Consumer Privacy Act represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy. Falling on the heels of the EU GDPR, California Consumer Privacy Act may mark the beginning of stricter U.S. consumer privacy protections.


The California Consumer Privacy Act is a piece of consumer privacy legislation which passed into California law on June 28th of 2018. The bill, also known as “AB 375,” has been described by some as “almost GDPR in the US.” Far and away, this Act is the strongest privacy legislation enacted in any state at the moment, giving more power to consumers in regards to their private data. With a variety of major tech giants based in California, including Google and Facebook (both of which have recently suffered data breaches), AB 375 is poised to have far-reaching effects on data privacy. AB 375 will go into full effect on January 1st, 2020.

Companies that already with the Privacy Shield or EU GDPR may find that they currently meet some of the requirements set forth in the California Data Privacy Protection Act. With many  pundits predicting that other states will follow suit in the coming years, companies across the U.S. that take proactive steps today to better protect consumer data will be best equipped to ride the waves of change.


There are a number of terms defined in the legislation in order to clarify the parameters of the law. Certain businesses and all Californian consumers are the two groups who fall under the provisions in the bill, defined as:

  • Consumer: According to the Act, “‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…”
  • Business: This term has a lengthy definition in the bill, which describes many typical business models and types. Three key articles to pay attention to include:
    • For-profit entities which do business in California and collect personal information of consumers.
    • “Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)…”
    • “Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”


Another important term loosely defined in the bill is “personal information.” According the AB 375, “The bill…would define ‘personal information’ with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information.”

Dozens and perhaps hundreds of specific data items are mentioned in the legislation, including:

    • Biometric data
    • Household purchase data
    • Family information (e.g., how many children)
    • Geolocation
    • Financial information
    • Sleep habits


      • General Disclosure: If a business (as defined by the bill) collects any type of personal information, this should be disclosed in a clear privacy policy available on the website of the business.
      • Specific Requests: Should a consumer desire to know what data is being collected, the company is required to provide such information — specifically about the individual. Some of the requests that can be made include:
        • The categories of personal information collected
        • Specific data collected about the individual
        • Methods used to collect the data
        • A business’ purpose for collecting the information
        • Third parties to which personal information may be shared
      • Deletion: If the consumer desires, personal information (with exceptions) will be deleted by the business.
      • Same Service: Regardless of a consumer’s request and preferences about how their personal information is handled, businesses are required to provide “equal service and pricing…even if they [consumers] exercise their privacy rights under the Act.”


As it stands, businesses will be required to comply with all provisions outlined in the final version of AB 375 by January 1, 2020. Companies actively doing business in California will need to adjust their current practices to avoid violations of the law.

Many of these changes translate to a need for:

      • Organized Data Collection: The bill allows consumers to request the specific information collected about them. These requests are to be provided at no cost to the consumer. Companies need to have the ability to quickly search, compile and send these reports to consumers.
      • Clear, Transparent Policies: Consumers can request a report on the types of data collected, data sources, collection methods, and uses for their data. While the data itself needs to be stored in a well-constructed database, many consumer questions can be quickly answered in comprehensive privacy and data collection policies.
      • Knowledge of Specific Provisions: There are clearly outlined requirements within the California Data Privacy Protection Act including things such as:
        • “Provide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page…”
        • Ensure any individuals who handle consumers’ private data know and understand all pertinent regulations.

In the time leading up to full implementation in 2020, there will likely be amendments that change current provisions, remove requirements, or even add to the regulation. It is important for all businesses to work towards a safe and healthy relationship between data collection and privacy while staying up-to-date regarding new data regulations.

The Data Compliance Group can assist your organisation in implementing all policy and procedure as well as an initial Gap Analysis with data mapping. The Data Compliance Group can support you on-going with support and active advice to ensure you remain compliant. Contact our sales team to discuss

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.