Expanded Privacy Protections Granted to California Residents: The California Consumer Protection Act

Lisa Gumbs, Senior Consultant, Commercial Services, GDPR, Coalfire

In late June, California passed a new consumer privacy law—the California Consumer Privacy Act (CCPA). This statute provides protections to California residents; but it will also have wide-ranging effects outside of California as it will apply to organizations that conduct business in California. The CCPA, which goes into effect on January 1, 2020, will be the broadest privacy law in the United States, granting more protections to personal data than any current privacy statute.

Here are some of the key provisions:

Who must comply?

Companies that receive personal data from California residents and that meet one of these three thresholds:

  1. exceed annual gross revenues of $25 million;
  2. obtain personal information of 50,000 or more California residents, households, or devices annually; or
  3. obtain 50 percent or more annual revenue from selling California residents’ personal information.

What type of information is covered?

All personal information collected from California residents is covered by the CCPA. The definition of “personal information” is quite broad under this statute and, in addition to standard identifiers, biometric information, and geolocation data, includes consumer commercial information such as a consumer’s history of purchases, internet activity such as browsing history, and any inferences drawn about a consumer’s preferences, characteristics, psychological trends, behavior, attitudes, intelligence, abilities, and aptitudes.

The CCPA applies regardless of the reason that data was collected. So, the law protects residents whether they provide the data as consumers, employees, patients, students, parents, or children. This includes not only information collected electronically or over the Internet, but to the collection and sale of all personal information collected by a business from consumers. Therefore, collection of data by written document, audio, video, or other means would be covered.

What rights does it grant?

  1. The right to know what information and why it is being collected. This will include the categories of information, sources of the information, specific pieces of information, and purpose for collection.
  2. The right to know whether their personal information is sold or disclosed and to whom it is provided.
  3. The right to say no to the sale of personal information, and have an “opt-out” option.
  4. The right to access their personal information, have data portability, and request deletion of personal information.
  5. The right to equal service and price, even if a consumer exercises their privacy rights (an anti-discrimination provision).

What happens if an organization does not comply?

The California Attorney General will enforce the statute. Violations can incur a fine of up to $7,500 per intentional violation. Additionally, individual consumers will be able to sue companies for violations.

What should companies be doing now to prepare for this new privacy law?

Companies will need to begin assessing the requirements of the CCPA and adjusting their business practices to ensure compliance. As part of that, it will be important to review other applicable privacy laws and their interactions with the CCPA. Many businesses have been preparing and adjusting practices to comply with the General Data Protection Regulation, which went into effect in May 2018.  Compliance with GDPR may help, but will not ensure compliance with the CCPA because there are significant differences between the CCPA and GDPR. Companies will need to assess their privacy practices for both the new CCPA, GDPR, and other privacy rules.

Lisa Gumbs


Lisa Gumbs — Senior Consultant, Commercial Services, GDPR, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS