The CCPA comes into force on 1 January 2020, but from 1 January 2019 consumers may start requesting personal data under it.

What is happening?

All businesses that serve California-based consumers and either:

  • have $25m (or equivalent) in annual revenue, or
  • hold data on at least 50,000 people, or
  • collect more than 50% of their revenues from the sale of personal data
  • will need to comply with the California Consumer Privacy Act (the CCPA).

Why does it matter?

Consumers in California will be empowered with certain rights regarding their data. Retailers should be aware of the key consumer rights included in the CCPA:

  • right to know/access – businesses will need to comply with disclosure requests for information covering a 12-month period
  • right to opt-out – consumers in certain circumstances will have a right to opt-out of the sale of their information
  • right to deletion – consumers have the right to request that any personal information is deleted
  • right to equal service – businesses are prohibited from discriminating against a consumer for exercising any rights under the CCPA
  • reasonable security – retailers must implement reasonable security measures to protect against data breaches.

NOTE: The CCPA provides individuals with the ability to recover statutory damages ranging from $100-$750 per consumer per incident for data breaches

In the medium to long term, there is likely to be wider regulatory change in the USA. Reflecting the EU’s General Data Protection Regulation (GDPR), the introduction of the CCPA is a milestone in modernising the data privacy regime in the USA. Following the CCPA, two outcomes are widely speculated:

  • the CCPA is still being fine-tuned by the state and there has already been one round of revisions. Other states will follow California and adopt similar GDPR-like approaches, or
  • a federal-level data privacy framework will be enacted.

Either way, it is certain that we will see a more consumer-focused data privacy framework across the USA.