Not to Be Outdone, California Comes Up with Its Own Version of GDPR—the California Consumer Privacy Act

Made your peace yet with GDPR? If so, laid-back California’s got some news that will definitely harsh your mellow. Starting in 2020, the Golden State will have a GDPR law of its own. It’s called the California Consumer Privacy Act (CCP).

So now you need to do more than comply with Europe’s tough new data privacy-and-protection law. You also need to take steps to obey California’s law safeguarding online consumer information.

Unfortunately, CCP is just as tough as GDPR. Maybe even more so.

Under the California Consumer Privacy Act, each consumer affected by a data breach at your company can sue you. For as much as $750. Each consumer.

On top of that, the state’s attorney general can seek to fine you. Amount: $7,500 for purposely divulging confidential customer info. That’s $7,500 for each proven privacy violation.

Do the math. One-thousand records scooped up in a data breach? That puts you on the hook for $750,000 if all the victims demand their due. And $7.5 million if the state’s A.G. gets convictions because you unlawfully passed around 1,000 protected files.

California Consumer Privacy Act Details

CCP affects you if you do business in California and collect data.

Also, your company must annually generate at least $25 million in revenue.

CCP applies at less than $25 million in revenues when you collect data from at least 50,000 people, households, or devices.

Say you fail to meet any of those tests. CCP also applies when at least half your company’s annual revenue comes from the sale of personal info.

This part you’ll like. Say the law applies to you. You get a free pass of 30 days in which to correct violations before consumers or the attorney general can move against you.


A comparison of California’s law with GDPR suggests the two impose similar but in some ways different burdens.

For example, CCP lacks an opt-in requirement—a key feature of GDPR.

Another example. GDPR requires you to automatically make certain disclosures to consumers. However, the California Consumer Privacy Act requires consumers to ask for any type of disclosure.

One other distinction. CCP allows you to divulge private info so long as you offer consumers some sort of payoff before you start doling out the data.

In some regards, California’s law goes farther than GDPR. Consider this. CCP gives consumers the right to discover and actually see the info collected on them. It also gives them the right to find out to whom you sold or disclosed their data.

Moreover, the California Consumer Privacy Act gives consumers the right to prevent you from selling their personal information. As well, consumers can compel you to delete whatever info you collected on them.

And no retaliating against them for exercising any of these rights. No getting even by raising the prices you charge them. No showing them who’s boss by cutting back the services you give them.

California Consumer Privacy Act was a Compromise

They say that what happens in Vegas, stays in Vegas. But that’s Nevada. This is California. And what happens in California tends to spread to other states.

Indeed, observers foresee variations of California’s online consumer-protection law eventually popping up coast to coast and border to border.

Why? Because consumers like their online data and privacy protected by force of law.

The California Consumer Privacy Act, for instance, came about in response to consumer anger over privacy breaches and abuses at the hands of various online companies.

More to the point, CCP came about as a compromise to a stronger, citizen-spearheaded law. In California, laws can be created by a vote of the people. A wealthy real estate developer from San Francisco by the name of Alastair MacTaggart led a campaign for just such a vote.

MacTaggart reached into his pockets and pulled out close to $3 million to cover the costs of that campaign. Ultimately, his “California Consumer Personal Information Disclosure and Sale Initiative” qualified for a spot on the November general election ballot. He needed the signatures of 356,880 registered voters. He collected more than 629,000.

Now is the Time to Get Ready for CCP

Polls showed landslide-making voter support for MacTaggart’s initiative. But California lawmakers in the sway of Silicon Valley and Big Tech opposed the MacTaggart measure.

They convinced MacTaggart to withdraw it from the ballot if they could come up with a law of their own containing the initiative’s key provisions.

It took the legislature all of about maybe 15 minutes to draft that bill, approve it, and place it on the governor’s desk for signature.

Of course, CCP doesn’t take effect quite so quickly. You’ve got about a year-and-a-half to get ready for the California Consumer Privacy Act.

And just as with GDPR, Valet stands ready to help you prep for CCP. All you need do is drop us a line.