Privacy Lockdown: California Consumer Privacy Act of 2018

Megan BlackburnEcommerce

Since the implementation of the EU’s General Data Protection Regulation (GDPR), data protection and privacy have been at the epicenter of ecommerce discussions for some time. And as of June 28th, 2018, that discussion is larger and louder than ever. 

California Consumer Privacy Act of 2018

On June 28th, 2018, California Governor Jerry Brown signed a bill that successfully passed the California Consumer Privacy Act of 2018 (the “Act”) as law. This new law gives data and privacy discretion back to the consumer and officially awards five new privacy-related rights to California residents. Under the law, businesses must remain compliant with these new rights and must do so by providing notices within their privacy policies, as well as upon consumer request, on the who, what, where, when, and why of their data collection.

What are the official rights named in the Act?

The five new privacy rights listed in the Act are as follows:

(1) The right of Californians to know what personal information is being collected about them.

(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.

(3) The right of Californians to say no to the sale of personal information.

(4) The right of Californians to access their personal information and delete the information upon request.

(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Who is protected under the Act?

The Act protects California-based consumers. As defined by the law, this means any business based outside of California, and even outside the U.S., that sells to Californians is required to comply with the Act’s provisions. 

So what does this mean for businesses?

In short, this means it’s time to embrace change. While some U.S. operations felt virtually unscathed by the rollout of GDPR, many of those businesses will have to make their own series of adjustments to remain compliant with the Act. However, only certain businesses will be affected. 

The Act defines a “business” as an operation meeting at least one of these requirements: 

  • Annual gross revenue in excess of $25 million
  • Processes information of 50,000 or more consumers, households, or devices
  • Derives at least 50% of annual revenue from selling personal information

While many modest small businesses might not meet these thresholds, it’s still important to note that intricate privacy and data protection laws are making their way to the United States. With that in mind, it isn’t a bad idea to get on board with compliance sooner rather than later.

How similar is the Act to GDPR?

Not very similar. While the Act and GDPR have some crossover, such as the general privacy rights granted to consumers and what they can request of their personal data, both laws are fundamentally different with regards to what they require of compliance. 

Some of the topics that appear in GDPR that do not appear in the Act are: 

  • Collection of clear, unambiguous consent
  • Procedures for data breaches and data breach notifications to consumers
  • Data security implementations, such as Data Protection Officers
  • Cross-border data transfers

The primary focus of GDPR was to create an all-encompassing law that outlined detailed, specific, and binding requirements for all businesses to uphold and maintain with regards to consumer privacy and data protection; the Act is a less comprehensive means of providing additional disclosures and information to consumers on how their data is processed, in addition to opportunities to “opt out” of its collection or use. CCPA requires more restrictive “opt in” rights for children under the age of 16. 

What is “personal information” under the Act?

CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This includes, but is not limited to:

  • Personal identifiers such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric information and geolocation data
  • Internet or other electronic network activity information
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Employment-related information and education information

Data associated with identity, such as name, birth date, and social security number is regarded as personally identifiable information (PII). The less traditional data, such as biometrics and geolocation is referred to as personal information (PI), which is “capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer or a household.”

How long does a business have to disclose or delete consumer information?

As outlined in the Act, businesses have 45 days to respond with the actions or information requested. A 45 day extension can be granted to a business, so long as the extension is communicated to the consumer within the initial 45 day window. Additionally, a business is not required to delete consumer data, so long as its collection and storage is relevant to the needs of that business to provide a good or service to its customers.

So if I’m compliant with GDPR, does that mean I’m compliant with the Act?

Don’t be fooled. While GDPR and the Act have similar provisions on consumer rights, GDPR does not subsume the Act. The main difference between the two laws is their consent methods. GDPR requires a consumer to “opt in” and give expressed, unambiguous consent to the collection and use of their data; the Act implements an “opt out” method. 

Furthermore, the Act features one major difference – the right of a consumer to request their data not be sold. This ‘Don’t Sell My Data’ option may require organizations in the business of selling data to implement separate opt-in and opt-out methods for GDPR and the Act’s respectively governed regions. 

What is the foreseen impact of the Act?

The Act could open the gates for larger data and privacy laws to take effect throughout the United States. While the Act does not take effect until January 1st, 2020, there is still time for refinements and amendments to be made. In the meantime, the earlier compliance can be made, the better.

As with GDPR, companies should start formulating compliance and implementation strategies to accommodate the forthcoming changes. While 2020 seems like quite a ways away, it’s best to prepare now so you don’t have to pay later.

What should I do now?

CCPA could open the gates for larger data and privacy laws to take effect throughout the United States. As with all other governing data protection laws and regulations, companies should formulate and implement strategies to accommodate the forthcoming changes.

With an ever changing landscape in data and privacy protection, it is best for businesses to uphold the safest and most compliant practices to forgo legal ramifications. If you have any questions about CCPA, GDPR, or compliance please reach out to an UpSellit Compliance Expert at