Privacy and Data Protection

A New Decade in Data Privacy: Complying with the CCPA

Following daily headlines of data breaches and companies using or maintaining individuals’ data in less than desirable ways, governments around the globe have increasingly taken notice and started passing laws governing the rights of individuals with respect to their data, and the way others can permissibly use it.

Leading the pack was the European Union, whose General Data Protection Regulation[2] (GDPR), came online in 2018. While companies doing business in the European Union worked to become compliant with the GDPR, various states in the US recognized that the federal government lacks much, if any, of the framework around this issue. As a result, several states have contemplated passing their own data privacy laws and regulations.

The most significant of these laws, the California Consumer Privacy Act[3] (CCPA), was passed in June 2018. Enforcement of the law began on July 1, 2020.

In November 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA), which significantly amended and expanded the CCPA. This article uses the term "CCPA" to refer to the CCPA as amended by the CPRA.

Most of the CPRA’s substantive provisions became operative on January 1, 2023, with enforcement beginning on July 1, 2023. On March 29, 2023, the California Office of Adminstrative Law approved the California Privacy Protection Agency's (CPPA) proposed CPRA regulatons.[4] The regulations will come enforceable March 29, 2024.[5] The CPRA requires additional regulations to be issued on a variety of topics, including with respect to cybersecurity audits, risk assessments, automated decision-making, and profiling.

The goals of this article are to (1) inform businesses whether they fall within the CCPA’s reach, (2) provide an understanding of the basics of the law, and (3) offer practical tips on how to comply.

This document is only available to subscribers. Please log in or purchase access.