On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”). CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.
Effective January 1, 2020, Californian residents ─ referred to in the CCPA (and below) as “consumers,” although CCPA also covers employees, vendors and others ─ will have new rights over their personal information:
- the right to know what personal information is collected, whether the personal information is sold or otherwise disclosed for a business purpose. and to whom the personal information was sold or disclosed; 
- the right to access the personal information that a covered business has about them; 
- the right to deletion of their personal information; 
- the right to opt out of the sale of their personal information or, for minors under age 16, the right to opt in;  and
- the right to equal service and price, which means that consumers who exercise rights under CCPA must receive the same goods or services as those who do not (although certain financial incentives are permitted). 
To give effect to these new consumer rights, CCPA requires a covered business to provide a description of the rights, including specifically:
- describing, concurrently with or prior to collecting personal information, the personal information the business collects and the reason for its collection;  and
- listing the categories of personal information (i) collected by the business in the preceding 12 months and (ii) “sold” or otherwise disclosed for a “business purpose” in the preceding 12 months. 
A covered business also must respond to a verifiable consumer request:
- for a list of the specific personal information about the consumer that was collected, sold or disclosed during the preceding 12 months;
- for a copy (in paper or electronic form) of personal information collected about the consumer at no charge to him or her;
- to delete the personal information that the business collected, subject to the business’s legal obligations and other exceptions; and
- to opt out of the sale of his or her personal information. 
CCPA also authorizes a private right of action for unauthorized access to or disclosure of personal information if the access or disclosure results from a business’ failure to implement “reasonable” security procedures and practices that are “appropriate” to the nature of the personal information. 
CCPA has been compared to the General Data Protection Regulation (“GDPR”), the EU’s broad and strict privacy and data protection law that went into force on May 25, 2018.  Although CCPA offers some data privacy rights for Californians that are similar to GDPR, CCPA lacks many of GDPR’s privacy compliance infrastructure requirements.  As a result, businesses subject to CCPA that already have undertaken GDPR compliance will find CCPA’s additional requirements more process than substance.
Today, CCPA is challenging because some of its compliance requirements are unclear. The California Attorney General is tasked with adopting regulations, rules and procedures that should help to clarify how to comply in the future. Until then, an affected business can take the time to understand CCPA’s purpose and scope and to inventory the personal information about Californians that the business collects, uses and discloses, but it cannot necessarily undertake any specific compliance steps until the California Attorney General or legislature provides further guidance.