California's Consumer Privacy Act

California's Consumer Privacy Act 864 486 N2K

California’s Consumer Privacy Act

The California State Legislature has passed A.B. 375 otherwise known as the California Consumer Privacy Act (CCPA) which grants consumers sweeping protections for consumers’ personal online data. The Act, set to go into effect on January 1, 2020, will grant all California residents increased ownership, control, and security when it comes to their online data. Below are some of the legislative components that have many experts calling CCPA a miniature version of the recently passed General Data Protection Regulation (GDPR) in the European Union. All companies and organizations both located in and doing business in California will be affected.  Let’s walk you through some of the key components, why you should care, and how you can prepare.


The act mandates that consumers can inquire as to what information private industry is collecting on them, their devices, and even their children. Consumers will also be given the the option to say “no” to having that data gathered. Moreover, a free annual service for consumers will allow consumers to view what specific categories of information have been collected on them. Finally, if an organization is selling personal information, the categories of data being sold and the organization it’s being sold to must be made available to the consumer.


CCPA also makes it impossible for organizations to discriminate against those who opt out of sharing their data. If an individual requests that their data not be shared or collected, businesses cannot charge the consumer additional fees or change the quality of service they receive.


Existing California law mandates that businesses establish “reasonable security measures” to protect California residents’ personal information. CCPA acknowledges that under the existing law and in light of continued breaches, organizations often ignore this law with impunity. CCPA will increase fines and penalties for private industry and make it easier for individual consumers to hold companies accountable for subpar security practices in the event of a data breach.

This groundbreaking legislation adds to California’s unique history of codifying privacy protections. In the early 2000s California was among the first states to pass breach notification and website privacy policy legislation, which proliferated in the United States thereafter. It’s important to note that the passage of the CCPA, however, endured a rather rushed legislative process and those drafting the legislation did not address any overlap or inconsistencies between the new law and any of California’s existing privacy laws. It is expected that the discrepancies and redundancies will likely reveal themselves when the law goes into effect in 2020.

Why Should You Care?

While many experts are keeping their eye on CCPA as one of the toughest data privacy laws in the country, it’s important for business professionals to know that CCPA rests on a myriad of other legislative and regulatory policies directed at cybersecurity and privacy regulation. We’ve previously discussed some of these initiatives when we laid out the state by state push for better breach notification laws. Among existing legislative efforts, the National Conference of State Legislatures has documented that in 2017 alone 42 states introduced 240 bills relating to cybersecurity and privacy. So what does this mean for organizations and how can you ensure your company remains compliant?

 “In 2017 alone, 42 states introduced 240 bills relating to cybersecurity and privacy.”

Risky Business

Fees, fines, and the potential for litigation means that your organization needs to be proactive about data privacy laws. Ensure that your regulatory environment and compliance efforts are a component of your cyber risk framework, and by extension, your larger enterprise risk considerations.

Stay Ahead

Stay ahead of data protection legislation by designating a point person within your organization who assesses existing data privacy laws, future trends, and potential implications for your organization. If you already have staff that monitor your regulatory environment, make data privacy a component of their research.

Take Action

Once your regulatory environment is sufficiently monitored and measured as a component of your larger enterprise risk, have a plan on how you want to address that risk. Using data from your risk and compliance teams, decide whether your organization needs to mitigate, transfer, or accept the risks associated with data privacy compliance.

How Can We Help?

Data privacy regulations are growing at an alarming rate for organizations on both the domestic and global fronts. However, your regulatory environment is only one aspect of your organization’s cyber risk that you need to consider. At N2K we have developed the Resolve Program to help educate your board, executives, and C-suite on many variables you need to account for in your cyber risk calculus. Whether you prefer in-person or digital training, our executive programs are available to help you understand the importance of monitoring your regulatory environment and compliance as an element of your organization’s cyber risk.