Few Businesses Are Ready For California’s New Consumer Data Privacy Law

In 2020, one of your New Year's resolution might be to have better control of your digital privacy.  Now in California, it's not just a resolution, it's the law. The problem, though, is that some companies are pushing back against key provisions of this California Consumer Privacy Act California Consumer Privacy Act (CCPA). 

As of January 1, Americans are now finally protected by a comprehensive online privacy law, at least, the nearly 40 million Americans living in California are. But as with Europe’s GDPR, General Data Protection Regulation from 2018, at least some aspects of the CCPA could extend beyond the state.

The California Consumer Privacy Act has been effective since January 1st 2020, and it doesn’t look like anyone, even the state of California itself, is totally ready.  Draft regulations for enforcing the law are still being finalized at the state level, and questions about specific aspects of the most sweeping privacy regulation since GDPR are still not clear. 

The crux of the CCPA is this: if your company buys or sells data on at least 50,000 California residents each year, you have to disclose to those residents what you’re doing with the data, and, they can request you not sell it. Consumers can also request companies bound by the CCPA delete all their personal data. 

Despite the handwringing ahead of its deadline last year, GDPR went as smoothly as could be expected. And Facebook and Google are already facing billion-dollar lawsuits over alleged violations of the GDPR, but it will be years before those suits are closed. 

Until that time, small companies will have only a muddled sense of how they might be vulnerable to the rule, and compliance continues to be something of a puzzle.But the CCPA is likely to be an even greater compliance challenge. It’s the first sweeping legislation in the US to give consumers control over how their personal information is used online, and may signal how other states will seek to protect their residents’ privacy. 

California Attorney General Xavier Becerra has said that even though widespread enforcement of the CCPA isn’t likely until July, companies should not view the first six months of the year as a grace period. “We’re going to try to help folks understand our interpretation of the law,” Becerra said, “And once we’ve done those things, our job is to make sure there’s compliance, so we’ll enforce.”

James Steyer, CEO of children’s privacy advocacy organisation Common Sense, says he thinks most companies are making good-faith efforts to get in compliance with the CCPA.

Microsoft has said that it plans to implement the provisions of the CCPA not just in California, but for all its customers, too. 
Facebook looks to be taking a different approach toward CCPA, emphasizing that “we do not sell people’s data.”  Facebook already has tools to allow users to access and delete their information, wherever they live' although some of its critics 
challenge Facebook’s stance, since,  the company’s business model is based on collecting and monetising its users’ data.

Other commentator question how is a companies can ensure it is deleting the right customer’s data without collecting more information to verify them. Service provider agreements are another area where companies will have to take a close look at their practices; an agreement with a subcontractor or vendor should carefully spell out how any personal information is used or shared.

Most large tech companies, Steyer says, view the CCPA as being in their long-term interests because it will create more trust among consumers. 

“This is a landmark moment, it’s the first major comprehensive privacy legislation passed in the US since Zuckerberg was in kindergarten,” Steyer says. “But Facebook is trying to find ways to get around the law.”

The Verge:          Fast Company:           Varonis:          Techcrunch:        CNet:

You Might Also Read:

On Trend: Business Data Protection Laws:

 

 

« The Invisible Areas Of The World Wide Web
Top 20 Cyber Security Companies At The Start Of 2020 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Infoblox

Infoblox

Infoblox solutions help businesses automate complex network control functions to reduce costs, increase security and maximize uptime.

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

L J Kushner & Associates

L J Kushner & Associates

L.J. Kushner is a leading Information Security recruiting firm.

Materna Virtual Solution

Materna Virtual Solution

Materna Virtual Solution security solutions enable user-friendly, secure mobile working environments.

Dispersive Networks

Dispersive Networks

Dispersive Virtual Network is a carrier-grade software-defined programmable network that is inspired by battlefield-proven wireless radio techniques.

Tevora

Tevora

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services.

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

Cylus

Cylus

Cylus, a global leader in rail cybersecurity, helps rail and metro companies avoid safety incidents and service disruptions caused by cyber-attacks.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

Tapestry Technologies

Tapestry Technologies

Tapestry Technologies supports the Department of Defense in shaping its approach to cybersecurity.

Deduce

Deduce

Deduce use a combination of aggregate historical user data, identity risk intelligence, and proactive alerting to deliver a robust identity and authentication solution.

PA Consulting

PA Consulting

PA Consulting Group is a consultancy that specialises in strategy, technology and innovation. Our cyber security experts work with you to spot digital and technology security risks and reduce them.

vCISO Services

vCISO Services

vCISO Services is a small, specialized, veteran-owned firm focused on the needs of SMBs only.

Sri Lanka CERT

Sri Lanka CERT

Sri Lanka CERT is the National Centre for Cyber Security, which has the national responsibility of protecting the nation’s cyberspace from cyber threats.

QRC Assurance & Solutions

QRC Assurance & Solutions

QRC is a PCI QSA, QPA, ISO accredited, CPA and CERT-IN empanelled organization with vast experience in conducting certification, regulatory audits, pen testing services, training and more.

GlitchSecure

GlitchSecure

GlitchSecure helps companies secure their products and infrastructure through real-time continuous security testing.