The California Consumer Privacy Act of 2018

On June 28^th 2018, California passed the California Consumer Privacy Act (CCPA), which is considered to be the strongest privacy protection measure in the U.S. The new California law, which takes effect as of January 1^st 2020, grants residents of California a broad protection when it comes to processing their personal data by a profit orientated business.

The new Act has an impact on every company that does business in California or to affiliated, co-branded entities of the business that meets the below criteria even if the affiliate does not have a business in California. For the CCPA to be applicable, the business either

1. has an annual gross Revenue of $25 million or more,
2. collects, busy or sells 50,000 or more consumers’ personal information each year for commercial purposes or
3. dervies 50% or more of their annual Revenue from selling consumers’ personal Information.

After the European General Data Protection Act (GDPR) became effective as of 25^th May 2018, businesses who are also dealing with data of Californian residents will have to comply with an additional regulation.

California being the 5^th largest global economy behind the United States, China, Japan and Germany (even beating the United Kingdom) companies should take a number of affirmative steps to comply with the new requirements prior to  1^st of January 2020.

While both the GDPR and the CCPA address the collection of personal information by businesses, they differ in their obligations and requirements for businesses to be compliant. Unfortunately, the implementations, which came into action for the GDPR, will not be enough for the CCPA regulation.

Even though the CCPA is stricter in some aspects, unlike the GDPR demands, businesses will not be required to get people’s permission to collect their personal data in the first place.

The CCPA however defines personal data more broadly and requires specific disclosures and communication channels that are not required by the GDPR. The CCPA also contains different exceptions to the right to have personal data deleted, establishes broader rights to access personal data and imposes tighter restrictions on data sharing for commercial purposes.

It is advisable that global companies who are impacted by the regulations should try to address the requirements of the GDPR and CCPA simultaneously and holistically.