California Continues its Role as a Privacy Vanguard: California Privacy Act of 2018

On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”).[2] CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.

Effective January 1, 2020, Californian residents ─ referred to in the CCPA (and below) as “consumers,” although CCPA also covers employees, vendors and others ─ will have new rights over their personal information:

To give effect to these new consumer rights, CCPA requires a covered business to provide a description of the rights, including specifically:

A covered business also must respond to a verifiable consumer request:

CCPA also authorizes a private right of action for unauthorized access to or disclosure of personal information if the access or disclosure results from a business’ failure to implement “reasonable” security procedures and practices that are “appropriate” to the nature of the personal information. [11]

CCPA has been compared to the General Data Protection Regulation (“GDPR”), the EU’s broad and strict privacy and data protection law that went into force on May 25, 2018. [12]  Although CCPA offers some data privacy rights for Californians that are similar to GDPR, CCPA lacks many of GDPR’s privacy compliance infrastructure requirements. [13] As a result, businesses subject to CCPA that already have undertaken GDPR compliance will find CCPA’s additional requirements more process than substance.

Today, CCPA is challenging because some of its compliance requirements are unclear. The California Attorney General is tasked with adopting regulations, rules and procedures that should help to clarify how to comply in the future. Until then, an affected business can take the time to understand CCPA’s purpose and scope and to inventory the personal information about Californians that the business collects, uses and discloses, but it cannot necessarily undertake any specific compliance steps until the California Attorney General or legislature provides further guidance.

Please refer to our FAQs for answers to common questions our clients have asked since CCPA was enacted. The FAQs will be updated over the coming months.


[1] With invaluable help from Brian Philips (Counsel, Raleigh) and Jenny Sneed (Associate, Raleigh).
[2] CAL. CIV. CODE § 1798.100 et seq.
[3 ]CAL. CIV. CODE § 1798. 100(b), 110, 115.
[4] CAL. CIV. CODE §§ 1798.100(d).
[5] CAL. CIV. CODE § 1798.105.
[6] CAL. CIV. CODE § 1798.120.
[7] CAL. CIV. CODE § 1798.125.
[8] CAL. CIV. CODE § 1798.100(b).
[9 ]CAL. CIV. CODE § 1789.130(a)(4)(B).
[10] CAL. CIV. CODE § 1798.135(a)(4).
[11] CAL. CIV. CODE § 1798.150.
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. GDPR applies to personal data collected from individuals in the European Union (“EU”) by any organization operating within the EU or operating outside of the EU but offering goods or services in the EU.
[13] See, e.g., Data protection by design and default. GDPR Article 25.

Copyright 2024 K & L Gates
National Law Review, Volumess VIII, Number 215