Our personal data is valuable, needing secure protection in this digital age.  In 2018, Governor Brown signed California’s Consumer Protection Act (CCPA), the toughest, most far-reaching data protection law ever passed in the United States. Though the law was passed in 2018, its provisions became effective January 1st of this year.

The CCPA grants Californians the right to request that businesses disclose any personal information collected about them, the categories and sources of the information, data on sales of that information to third parties, and the right to request deletion of personal data. The Act also grants consumers the right to opt out of the sale of their personal information, and prohibits businesses from discriminating against consumers for exercising those rights. Selling information about any consumer under age 16 is prohibited, unless specific authorization has been granted. In addition, if personal information is released due to a company’s failure to implement reasonable security measures, consumers will be able to sue. The Attorney General is charged with enforcing the CCPA, and just released modified regulations for enforcement, which begins on July 1st.

This complex law also has its downside. According to a report by the Attorney General, 75% of California businesses will be impacted by the Act.  Some of the requirements are burdensome, especially for small businesses, and the definition of what constitutes a “sale” is ambiguous. Estimates indicate that initial compliance costs for small companies with less than 20 employees would average $50,000, and could range up to $2 million for companies with more than 500 employees. The overall economic costs to implement CCPA could exceed $55 billion.

Legislative fixes and clarifications were discussed extensively last year, but stalled. More discussions are likely this year, but as is often the case in California, lawsuits and ballot initiatives are in the works.