The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

To help address the confusion caused by the CCPA, Bryan Cave is publishing this multi-part Practical Guide to the California Consumer Privacy Act.

The CCPA requires that organizations put into place “reasonable security procedures and practices” to help protect personal information from being breached. If information is, nonetheless, breached, and the breach happens “as a result of” an organization’s failure to implement reasonable security, the statute permits impacted individuals to bring suit to recover a statutory liquidated damage of between $100 and $750 per consumer per incident.

There are over thirty statutes in the United States that require that companies take steps to protect personal information. Indeed, California Civil Code 1798.81.5 – which predated the CCPA by almost 15 years – contains a near identical standard to that used within the CCPA. The only significant change that the CCPA makes to the existing data security law within California is the prospect that a plaintiff may be able to recover damages well in excess of the actual harm that they suffered as a result of a data breach.

From an international perspective, while California’s security standard is nearly equivalent to that used within the GDPR, it shows a clear preference for private class action enforcement whereas the GDPR incentives enforcement through supervisory authorities.



Standard for protecting information

“A business . . . shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”[1]

“. . . the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk . . . .[2]

Potential Regulatory Penalty

$7,500 for each violation.[3]

Up to the greater of 2% of total worldwide annual turnover or €10 million.[4]

Potential Liability to Impacted Individual

Up to the greater of $750 per consumer per incident or actual damages.[5]

Compensation for damages suffered.[6]

To comply with the CCPA companies should:

  • Memorialize security policies and procedures in a written information security plan or “WISP.”
  • Review whether your WISP conforms to a known industry standard or framework.
  • Consider whether there are any security policies or procedures that have not been drafted, but should be included within your WISP.
  • Review the substance of your WISP on an annual basis.
  • Conduct periodic risk assessments to identify the primary risks to information.
  • Train employees on your security policies and procedures.

Companies across the globe have retained BCLP to review their WISP to spot anything that might be considered a red flag to a plaintiff’s attorney, a court, or a regulator. Find out more about how we help companies draft and review their WISPs.

CCPA Provisions

GDPR Provisions

Cal. Civil Code 1798.81.5(b) (pre-existing California security standard)

Cal. Civil Code 1798.150(1).

GDPR, Article 32(1)