The California Consumer Privacy Act of 2018 (‘CCPA’) entered into effect on 1 January 2020. In particular, the CCPA provides certain rights to consumers, such as the rights of access and portability, to deletion, to opt-out, and to seek relief for breaches that involved their personal information. It was signed into law on 28 June 2018, after efforts by Alastair MacTaggart who was the main supporter of the ballot initiative which then led the CCPA to be passed unanimously by both houses of the California State Legislature. In addition, the CCPA was further amended in October 2019 by various bills which corrected technical details and implemented certain exemptions. The CCPA will be enforced by the California Attorney General (‘AG’) who will be able to bring civil actions for alleged violations.

Lisa J. Sotto, Partner at Hunton Andrews Kurth told OneTrust DataGuidance that, “There is no question that the CCPA will have a significant impact on future state and federal legislation. The CCPA has set the bar. While future laws might deviate from the CCPA, every provision of the law will be debated and considered in any new U.S. privacy legislation. Companies in the U.S. have spent months preparing for the January 1st compliance deadline. There is a rush to the finish and a number of the behind-the-scenes compliance processes will continue to be refined over the next few months. But there is a serious and earnest effort by most companies to comply.”

“Without the final regulations companies continue to be in limbo […] “

Alongside the CCPA, the AG has also released draft Regulations (‘the Regulations) which are to aid with the interpretation and implementation of the CCPA. The Regulations provide for clarity on how notice is to be given to consumers when collecting personal information as well as how businesses should handle consumer requests and the verification of said requests. However, this is currently in a draft form with the deadline for comments only recently ending.

Sotto further noted, “We are eagerly awaiting the final regulations. There are portions of the draft regulations that deserve to be reconsidered and rewritten (or dropped entirely). Without the final regulations, companies continue to be in limbo and compliance across U.S. companies will vary depending on whether companies are choosing to comply with the draft regs or just the law […] We have entered into a new era in privacy in the United States. We have been out of step with the rest of the world in sticking with our sectoral regime and the CCPA brings us one step closer to global aligmment.”

OneTrust DataGuidance produced, in collaboration, with the Future of Privacy Forum, a report comparing the CCPA with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), which was last updated in December 2019 to take into account the bills that amended the CCPA.

You can read the updated report here.

ALEXANDER FETANI Privacy Analyst