Skip to main content
Top Button
Start the Countdown to Year 2020: California Recently Enacted the Most Comprehensive Privacy Law in Start the Countdown to Year 2020: California Recently Enacted the Most Comprehensive Privacy Law in

Start the Countdown to Year 2020: California Recently Enacted the Most Comprehensive Privacy Law in the Country

By Nick Merker and Ice Miller summer clerk Tiffany Kim

On June 28, 2018, the California legislature passed the Consumer Privacy Act of 2018 (“CCPA”), which was immediately signed by Governor Jerry Brown. The law takes effect January 1, 2020. Racing to defeat a similar, but stricter, data privacy ballot initiative that was up for a vote this November, the state’s legislature swiftly passed the bill in days.[1]

The California Attorney General will have the authority to enforce the provisions of the statute and is required to develop implementing regulations. Given the forthcoming regulations and the opposition to the law by tech giants, who argue the law is too burdensome and will produce unintended consequences, the final compliance requirements will likely evolve between now and 2020. However, the newly enacted law offers insight to the progression of data privacy and serves as a framework for businesses’ strategic planning and compliance over the next eighteen (18) months.


The California Consumer Privacy Act of 2018 shifts the control of information and privacy back to the consumer by granting the following rights:

(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
California’s law mirrors many of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) components. With the intent to protect consumer privacy and enhance transparency, the new California law will require businesses, inter alia, to inform consumers about what information is collected, the business purpose for each category of information, and the source of collection. Companies will also have to accommodate consumers’ requests, including requests to: (1) delete the consumer’s personal information; (2) disclose the business purpose for collecting or selling such information to third-parties and what information is sold to specific categories of third-parties; (3) obtain a record of the specific pieces of personal information collected about that requesting consumer; and (4) direct a business that sells personal information not to sell the consumer’s information to third-parties. In accommodating consumer requests, the company will have to provide mechanisms to submit requests in a form that is reasonably accessible. The law requires, at minimum, two designated methods for submitting requests, including a toll-free telephone number and a website address, if the business maintains an online presence.

The company will have to display a uniformed opt-out “Do Not Sell My Personal Information” logo or button pursuant to Section 1798.135 and forthcoming regulations developed by the Attorney General[2] on its website homepage and in its online privacy policy. In addition to displaying the uniformed opt-out, outward facing privacy policies must contain specific content, such as two different disclosure lists. A list of the categories of personal information the company has disclosed about consumers for a business purpose and a list of the categories of personal information it has sold about consumers in the preceding twelve (12) months must both be maintained and disclosed.

Additionally, if a consumer exercises any of his or her rights under the CCPA, a business is not allowed to discriminate against that consumer by denying goods or service, charging different prices or rates, or providing a different level or quality of goods or services, unless that “difference is reasonably related to the value provided to the consumer by the consumer’s data.”[3]

As currently enacted, those who satisfy the following criteria will be subject to the California Consumer Privacy Act of 2018:
  • The company collects or processes California residents’ personal information;*
  • The company is a for-profit entity;
  • The company does business in California; and
  • The company meets one or more of the following thresholds:
    • Has annual gross revenues in excess of twenty-five million ($25,000,000)
    • Annually buys, receives, sells, or shares for commercial purposes, the personal information of fifty-thousand (50,000) or more California residents, households,** or devices***
    • Derives 50 percent (50%) or more of its annual revenues from selling consumers’ personal information.
*The CCPA vastly expands the definition of “personal information” by sweeping in Internet Protocol addresses, email addresses, geolocation data, internet browsing history, search history, and other information regarding a consumer’s interaction with a website, application, or advertisement.

**The CCPA does not define “household.”

***The CCPA defines “device” as “any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.”[4] This definition is not limited to only devices owned by California residents, which may impact businesses outside of California who have only minimal operations in the state.


If a business is notified of alleged noncompliance and that alleged violation is not remedied within 30 days of notification, the California Attorney General can impose a penalty of up to $2,500 per violation.[5]Any business that intentionally violates the CCPA can be subject to a civil penalty of up to $7,500.[6]

Additionally, the law only provides a private right of action within the data breach context. The CCPA imposes a substantive duty on businesses to maintain reasonable security procedures and practices in relation to the nature of the information collected and processed. If a business breaches that duty and the breach results in unauthorized access and exfiltration, theft, or disclosure of consumers’ nonencrypted or nonredacted personal information, then a consumer may institute a civil action. Statutory damages set a minimum recovery of $100 and a maximum recovery of $750 per incident, or actual damages—whichever is greater.[7] Furthermore, a court can grant injunctive or declaratory relief or impose other relief it deems proper.


If your company is subject to EU’s GDPR and has already taken measures to comply with GDPR, then it is likely CCPA compliance will be redundant in many aspects. In its current state, the CCPA requires explicit privacy policy content and opt-out mechanisms that GDPR does not specify. However, a complete compliance analysis comparing the final CCPA regulations with GDPR will determine additional obligations under the CCPA. Businesses that have already taken steps to fully comply with GDPR for EEA individuals should review their policies and procedures to extend many of the same protections to California residents.

Businesses that were not previously subject to GDPR should evaluate whether they have any CCPA compliance obligations. If you determine your business is subject to the CCPA, we suggest focusing your initial compliance efforts in the following ten key areas:
  1. Create a Data Map for Personal Information. A deep understanding of how your business creates, receives, maintains, or transmits personal information about California residents is foundational to a CCPA compliance program.
  2. Assess Data Security Practices. Your business should have a documented plan for complying with the CCPA’s requirements for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
  3. Evaluate Processes for Protecting Individuals’ Rights. Under the CCPA, individuals have enhanced rights with respect to their personal information, including the rights to transparency, access, deletion, and the restriction of the sale of their personal information to third-parties. Your business should decide how it will operationalize the CCPA’s requirements for protecting individuals’ rights over each category of personal information you process.
  4. Inventory Activities Pertaining to the Sale and Disclosure of Personal Information. The CCPA requires a business to maintain two different lists in its online privacy policy. One list is of the categories of personal information it has sold about consumers in the preceding twelve (12) months, and the second list is of the categories of personal information it has disclosed about consumers for a business purpose in the preceding twelve (12) months.
  5. Implement Valid Opt-Out Mechanisms. The CCPA includes stringent requirements for providing a uniformed opt-out logo or button. The current enacted law requires a “Do Not Sell My Personal Information” link to be displayed on a company’s homepage and its privacy policy. Your business should carefully implement necessary technological improvements to process consumers’ opt-out of the sale of personal information and requests.
  6. Assess Outward Facing Privacy Policy. There are specific content requirements for a business’s online privacy policy that will need to be assessed for compliance. For instance, a privacy policy must describe consumers’ rights and provide one or more designated methods for submitting requests.
  7. Implement Training. The CCPA requires that individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance are informed of all requirements regarding consumer requests.
  8. Examine Vendor Relationships. The CCPA requires businesses to update relevant vendor contracts to impose specific data privacy obligations on them. Specifically, ensure contracts with third-parties and service providers with whom personal information is shared reflect the vendor’s obligation and capability to appropriately respond to consumer requests to delete information.
  9. Develop an Internal CCPA Policy Manual. Although not explicitly required by the CCPA, we recommend creating an internal CCPA Policy Manual your company can not only use as a foundation for employee training, but also produce to regulators to showcase your compliance. The manual may contain policies and procedures that address topics such as opt-out mechanisms, individuals’ rights, processes for identifying the requesting consumer, vendor management, plans for receiving and remedying alleged noncompliance notices, and managing transfers to third-parties.
  10. Continue Monitoring Regulation Developments. Regulations and guidance from the California Attorney General are forthcoming and will further develop areas of the law, such as verification measures for consumer requests, definition of “personal information,” and the standardization of a uniformed opt-out logo or button.
We will keep appraised of the current developments as the California Attorney General publishes guidance and regulations. For guidance on strategic planning and compliance moving forward with the CCPA, please contact Nicholas Merker. Nicholas Merker, a former computer systems, network, and security engineer, is a partner and co-chair of Ice Miller’s Data Security and Privacy Practice

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] See Issie Lapowsky, California Unanimously Passes Historic Privacy Bill, Wired (June 28, 2018, 5:57 PM),; Glenn Fleishman, California Passes Groundbreaking Consumer Data Privacy Law With Fines for Violations, Fortune (June 29, 2018),
[2] Cal. Civ. Code § 1798.185(a)(4)(C).
[3] Cal. Civ. Code § 1798.125(a)(2).
[4] Cal. Civ. Code § 1798.140(j).
[5] Cal. Civ. Code § 1798.155(a); Cal. Bus. & Prof. Code § 17206.
[6] Cal. Civ. Code § 1798.155(b).
[7] Cal. Civ. Code § 1798.150(a)(1)(A).
View Full Site View Mobile Optimized