It’s the second week of a new decade and there are already new regulatory changes that have major implications for corporate legal departments. On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) took effect requiring businesses to alter privacy policies to abide by new consumer regulations for 2020 and beyond. Piggybacking on Europe’s General Data Protection Regulation (GDPR), CCPA sets new rights and requirements for the distribution of California consumers’ personal information. Corporations across the country, and perhaps internationally as well, will be impacted by this new law.

Companies that adapted to GDPR, otherwise considered the new global standard for data privacy protection and undoubtedly the inspiration for CCPA, will inherently attempt to use similar protocols for CCPA compliance. Tech giants like Facebook and Google might come out unscathed using this method, because they have the means and resources to resolve issues as they arise. But other organizations, who do not have the same budget, may encounter a few hiccups at the onset. Because, while similar, there are distinctive differences between the two laws.

What is CCPA and why is it significant?

The purpose of CCPA is to enhance privacy rights and consumer protection for the residents of California. It gives California residents the right to access their personal information, request that a business delete their personal information, and opt out of having their personal information disclosed or sold.

This greatly impacts an organization’s privacy policy that does business in California and satisfies the required thresholds; the implementation of CCPA will affect the way these businesses collect and manage data. It creates a morass of new processes and technologies being put into place to abide by these new procedures.

Furthermore, it opens the door for other states to pass similar legislation in the years to come, perhaps even at the federal level. So the cost of not enforcing such procedures can cost a company more later down the line due to fines. Therefore, commiting to meet these requirements now, will save money in the long run. Businesses need to be prepared to respond and adhere to such regulations now and potentially in the future.

How does CCPA differ from GDPR?

There are a number of differences between CCPA and GDPR. While they both require detailed privacy notices, the content required to meet the criteria for each differs. A privacy policy that meets GDPR requirements will not likely satisfy CCPA requirements. Additionally, the requirements and general specifics of the law differ.




Business Requirements

  • 25 million in Revenue
  • Or 50% of Revenue Comes from Selling PI
  • Or Captures Data on 50K Residents
  • Established in the EU
  • Or Not Established and Offers Goods and Services to EU Residents
  • Or Not Established and Monitors an Individual’s EU Behavior

Regulatory Oversight

California Attorney General

Acting Authority Within Each Member State

Financial Penalty

Fine of up to $7,500 Per Violation

A Percentage of Gross Revenues

Breach Notification Rule

Notify As Soon as Possible

Notify within 72 Hours After Being Aware of the Breach

Grace Period

30 Days After the Initial Notice


Private Right of Action

May Initiate an Action to Recover Damages up to $750 per Incident or Actual Damages, Whichever is Greater

EU Citizens Have the Right to Pursue Compensation Claims Against Controllers

Setting Enabled to Deny the Selling of Personal Information


Not Required

Offer Incentives in Exchange for Data


Permissible, but Must Proceed with Caution

Requesting Access to Information

Requires 2 Methods for (Telephone and Website)

At Least One Method

Consumer Access Request Time Period

45 Days or More

30 Days or More


Similar to GDPR, CCPA grants individuals the right to opt-out of the disclosure and sale of their personal information. This means businesses are obligated to add the opt-out option when accessing their website or mobile apps. However, CCPA does not provide all of the same consumer rights as GDPR. One of the most significant differences being that legal basis is not required for processing personal data.





Consumers Can Opt Out of Third Party Data Selling

Opt in Consent Required for Minors

Access Data Rights

Delete Data Rights

Data Portability Rights

Legal Basis Required


Data Minimization Rights


Data Rectification Rights


Data Protection Officer Required



Who will be most impacted by CCPA and how does this apply to the legal industry?

The implementation of CCPA will create a new and complicated world for data privacy. The biggest question is who will be the most impacted by CCPA? And the question everyone is dying to know – how does it apply to the legal industry? We will cover this and more in our next blog in this 3 part series. Stay tuned for the next blog!