The California Consumer Privacy Act: What it is and How to Comply


2018 was a troubling year for privacy in the United States.

As news broke in March that Cambridge Analytica had harvested the personal data of over 200,000 Facebook users, Americans grew increasingly frustrated with the inadequacy of the nation’s privacy framework. This sad state of affairs might have been excusable if it were not for the sophisticated privacy regime the European Union was just shy of implementing. The European Union’s General Data Protection Regulation (known better at the “GDPR”) came into effect two months later on May 25. To date the GDPR represents the most comprehensive privacy statute in the world, and promises to overhaul the way organizations like Cambridge Analytica collect and process personal data. So far, the GDPR has generally lived up to these expectations.

It was against this frustrating backdrop of America losing the privacy “space race” that an unknown California real estate developer finally decided - he’d had enough. Buoyed by the activist-friendly ballot initiative framework in his home state, Mr. Alastair Mactaggart personally spent $3.5 million to advance a data privacy ballot initiative in California. His efforts were immediately well received. Polling during the summer of 2018 indicated that his ballot measure had strong support, and that its passage was essentially guaranteed come November.

Seeking to re-assert its authority over the tech industry, the California Legislature stepped in at the 11th hour and passed “compromise” legislation that addressed most of the issues raised in Mr. Mactaggart’s ballot initiative. In doing so, the California Legislature was able to prevent the stricter-ballot initiative from becoming law. On June 28, a mere month after the GPDR’s implementation date, the California Consumer Privacy Act (“CCPA”) was born.

The CCPA understandably caught many organizations off guard. Although there are no easy fixes, we felt it would be useful to identify the “Top 5” privacy initiatives organizations can take to position themselves toward compliance.

WARNING – this is NOT a complete list. This is intended as a brief primer only.

Step 1: Does this California thing even apply to us?

As many organizations shuffle through the law’s requirements, the baseline question of whether the CCPA applies to their business model is too often overlooked. This is not the GDPR! The California legislators purposefully attempted to exclude organizations that would be overly burdened when trying to comply.

Although the CCPA is subject to further amendment, the law is, for now, only applicable to “businesses” that satisfies at least one of the following three thresholds:

  • Has annual gross revenues in excess of $25,000,000,
  • Processes the personal information of 50,000 or more consumers, households, or devices, or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

For those who are curious, the CCPA generally defines a business as a “legal entity that is organized or operated for the profit or financial benefit of its shareholders.” It is still unclear whether this definition will apply to trade associations and other pseudo-business organizations.

Step 2: Post a working “Do Not Sell My Personal Information” link on your homepage

Organizations doing business in California must ensure that consumers can opt-out of the sale of their personal information. Rather than leaving the opt-out mechanism to chance, the CCPA specifies that every business must display a “clear and conspicuous” ‘Do Not Sell My Personal Information’ link on their homepage. Once clicked, the consumer should be redirected to a page enabling them to opt out of the sale of their personal information.

It remains unclear whether the CCPA only permits consumers to opt out of the sale of their personal information, or whether this power will extend to other forms of data processing. Fingers crossed – upcoming regulatory guidance from the California Attorney General will hopefully bring greater clarity to this provision.

Step 3: Ensure that “opt-in” consent has been obtained for children under the age of 16

At first glance the CCPA might appear to be an “opt-out” privacy regime. It isn’t.

Businesses who sell the personal information of children under the age 16 must ensure that they have obtained express permission before doing so. Stated differently, the CCPA generally permits businesses to sell your personal information so long as 1) you are 16 years or older, and 2) you have not opted-out to the sale of such info as outlined in Step 2.

Interestingly enough, the federal Children’s Online Privacy Protection Act (‘COPPA’) already requires organizations in all 50 states to obtain permission of a guardian before processing the personal information of a child under the age of 13. The CCPA raises this requirement, as it applies to the sale of personal information, to children under 16 years of age. Children ages 13-15 are able to supply their opt-in consent on their own.

Organizations doing business in California need to pay particular attention to this requirement. Regulators across the globe have through the years consistently taken a more aggressive approach when the personal information of a child is at stake.

Step 4: Build an organizational plan to field consumer (i.e. ‘data subject’) requests

The central purpose of the CCPA is to provide California residents with rights that they can exercise against organizations that process their data. The CCPA generally provides California residents with the following four rights:

  • The right to access your personal information
  • The right to delete your personal information
  • The right to be informed of:
  • the categories of personal information a business collects,
  • the purposes for that collection,
  • the categories of sources from which that personal information is collected, and
  • the categories of third-parties with whom that personal information is shared.
  • The right to opt-out of the sale of personal information, as described in Step 2

The tools organizations will deploy to comply with these requests will (and should) vary from one business to the next. Generally, a company’s privacy policy should have an interactive link or working email that can accept a consumer’s request to exercise these rights. To be clear, such a link or working email should be separate from the Do Not Sell My Personal Information link described in Step 2.

Internally businesses will need to develop controls and procedures to handle these requests. For those organizations already exposed to the GDPR, many of these tools can be leveraged to field requests arising under the CCPA. However, the individual scope of rights, required response times, and factors for honoring such requests differ between the CCPA and the GDPR.

Organizations should refrain from simply superimposing their GDPR data subject request model onto the California market.

Step 5: Update your privacy policy

California law has always placed a premium on transparency. Therefore it comes as no surprise that the CCPA similarly requires organizations to update their publicly-posted privacy policies to inform California residents of their new rights under the law. Although enforcement from the California Attorney General is not expected to begin until July 1, 2020, the law itself goes into effect on January 1, 2020. Businesses should have their privacy policies updated by that date.

Where We Go From Here

The California Legislature has already indicated that we can expect at least one more “cleanup” up bill between now and the CCPA’s effective date of January 1, 2020.

Critically, the CCPA also contains a 12-month “look back period” for the consumer requests identified in Step 4. This means, even though the California Attorney General has already indicated that it will not begin enforcement until July 1, 2020, the look back period will require a businesses to be able to produce accurate summaries of their data processing activities 12 months prior to that date – i.e. July 1, 2019. In short, CCPA compliance is not something that can be simply kicked down the road.

The time to act is now.

Picture of Jason Sarfati, CIPP/US
Jason Sarfati, CIPP/US
Jason Sarfati is a Data Privacy & Cybersecurity attorney in Washington, D.C. He holds a CIPP/US certification (Certified Information Privacy Professional) and is an active member of the International Association of Privacy Professionals (IAPP). Learn more about Jason and connect with him on LinkedIn:

More articles