Privacy and Data Protection

A New Decade in Data Privacy: Complying with the CCPA

Following daily headlines of data breaches and companies using or maintaining individuals’ data in less than desirable ways, governments around the globe have increasingly taken notice and started passing laws governing the rights of individuals with respect to their data, and the way others can permissibly use it.

Leading the pack was the European Union, whose General Data Protection Regulation[2] (GDPR), came online in 2018. While companies doing business in the European Union worked to become compliant with the GDPR, various states in the US recognized that the federal government lacks much, if any, of the framework around this issue. As a result, several states have contemplated passing their own data privacy laws and regulations.

The most significant of these laws, the California Consumer Privacy Act[3] (CCPA), was passed in June 2018. As California wrestled with the specifics of how compliance and enforcement would work, the state delayed the compliance deadline until January 1, 2020.[4] Enforcement of the law began on July 1, 2020.

In November 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA), which significantly amends and expands the CCPA. Most of the CPRA’s substantive provisions become operative on January 1, 2023, with enforcement beginning on July 1, 2023.

The goals of this article are to (1) inform businesses whether they fall within the CCPA’s reach, (2) provide an understanding of the basics of the law, (3) provide an update on the key changes made by the CPRA, and (4) offer practical tips on how to comply.

This document is only available to subscribers. Please log in or purchase access.