In 2018, the California State Legislature passed the groundbreaking California Consumer Privacy Act (CCPA), which will become effective as of January 1, 2020. The law creates a wide range of new rights for California residents and imposes significant compliance and transparency obligations on businesses that collect, store, and use consumer personal information. Commentators have noted that the CCPA draws inspiration in part from another sweeping similar consumer-data protection law—the European Union’s (EU) General Data Protection Regulation (GDPR), which came into effect as of May 25, 2018. The purpose of this article is to examine and summarize the key similarities and differences between the two regulations.
The CCPA applies to companies that do business in California and that buy, share, or sell the personal data of more than 50,000 California residents, that earn more than 50 percent of their revenue from the sale of personal data, and which have an annual revenue of over $25 million. The law’s definition of personal information is broad and includes items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses. The law provides California residents with the right to “be forgotten” (e.g., to have their personal information deleted from a business’s database) and the right to opt out of the sale of their information (which is broadly defined to encompass any exchange of consumer information for something of value). The CCPA creates a private right of action and an entitlement to statutory damages for non-compliance and imposes penalties of up to $2,500, increasing to $7,500 for each intentional violation.