CCPA: the Californian Consumer Privacy Act officially takes effect this January

By Merav Griguer, Sharone Franco


Adopted in June 2018, California's new Consumer Privacy Protection Act (CCPA) came into effect on January 1, 2020. Now considered as a priority, the question arises as to how companies can succeed in complying with all these laws, which have become complex to apply.

Which companies are concerned by the CCPA?

Regardless of where they operate, the businesses concerned by the CCPA are those that use the information of a consumer, as defined as a natural person, temporary or permanent resident of California, and that meet one of the following conditions:

• Have annual gross sales of $25 million or more;
• Purchase, receive or share the personal information of 50,000 or more household or appliance consumers per year;
• Derive 50% or more of its annual revenue from the sale of personal consumer data.

What changes for the entities?

The CCPA gives consumers the following rights:

Notice right: This information must be provided at the latest at the time of data collection, as well as the intended uses, and may be supplemented at a later date in the event of changes. This information should firstly concern the extent of the personal information that is collected about them and the company's overall activities, as well as the possible sharing of data with other entities;

Right to opt-out: The ability to opt-out of the sale of their personal information at any time;

Right to access and right to request deletion: Access to personal information that has been collected and to request its deletion;

Non-discrimination right: when the consumer exercises specific rights, entities are prohibited from discrimination (refusing to sell, imposing a different price, providing a different level or quality of service).

Is the CCPA an American version of the GDPR?

While the CCPA is undeniably inspired by the GDPR and grants consumers certain rights over the way their personal data is collected and used, the two regulations present clear differences, notably:

In conclusion:

A six-month grace period follows official entry into force of the CCPA. It must be highlighted that fifteen American states are in the process of developing their privacy laws following the CCPA. This multiplication of legal texts on the same issues and having their own specificities make things complicated at the legal point of view. This is why a federal law is strongly urged. This would offer digital players a stable and legal environment for creating products and solutions where economic players and users can reach a consensus on the use of personal data.