Apr 25, 2023

All About the California Consumer Privacy Act (CCPA)

If you haven't yet heard about the CCPA, this is your chance to get caught up. The closest thing to GDPR in the U.S., the California Consumer Privacy Act (CCPA) has actually been in effect since January 1, 2020 but many people are still unsure of the full effects of it. 

What is the CCPA?

Put simply:

The CCPA is a landmark bill that aims to protect consumer privacy rights. Large technology companies like Google and Meta have less freedom with data harvesting, and consumers will have greater control over the personal information that these companies collect, store, and share.

California has made its name as the cradle of tech since even before the internet boom in the 1990s, with Silicon Valley as the beating heart. While startups have been flourishing in other parts of the world, Silicon Valley is still the epicenter of tech and innovation.

Now, any company that deals with the data of California residents will have to review their practices. It is in fact the most restrictive state privacy law passed anywhere in the U.S.

Why is the CCPA Happening?

Over the past few years, there has been a litany of data leaks and consumer privacy scandals, leaving consumers feeling wary about sharing personal information online.

The Cambridge Analytica debacle that revealed Facebook had compromised 87 million user accounts was the major headline. Amazingly, after a lengthy court battle, the social media giant has escaped with a paltry fine of £500,000 ($645,000).

Yahoo was not so lucky. Multiple breaches between 2012 and 2016 ended up costing the company $117.5M in a class-action lawsuit. LinkedIn, Capital One, Equifax, and Uber have all found themselves in hot water in the past few years, bringing the data-driven age under question.

As technology evolves and the world’s data reserves grow, so too does the threat of cyber-crime and data breaches. Research by Visual Capitalist found that 75 data records are compromised every second.

In the online world, much of 2018 was dominated by the hype around the European General Data Protection Regulation (GDPR). The changes enacted by the GDPR laws forces companies to take more responsibility with consumer data and to inform consumers about the practices and processes involved in data collection.

In its first year, TechRepublic reported that there were over 200,000 cases of breaches and complaints, and over $60 million in fines issued. 

With GDPR now ingrained, it’s hard to find any reputable website that doesn’t display a notice to tell site visitors about their use of cookies. It was always only a matter of time before the U.S. followed suit.

Top tip: even if you are not located in the EU, if you're doing business with EU citizens you need to pay attention to GDPR. Read our full checklist for marketers.

How Does the CCPA Differ From GDPR?

While the GDPR came from the top-down, by comparison, the CCPA started from the bottom-up, beginning as a grassroots initiative driven by a collective led (and funded) by wealthy real estate developer, Alastair Mactaggart. The coalition called themselves, "Californians for Consumer Privacy," and began their battle in San Francisco and Oakland as a citizen ballot initiative.

Mactaggart summarized the proposal as follows:

“Tell me what you know about me. Stop selling it. Keep it safe.”

In the wake of the Facebook scandal, the initiative built up a head of steam, defeating all opposition from the companies it would impact the most.

All About the California Consumer Privacy Act (CCPA)

Google, Facebook, Comcast, Verizon, and AT&T created a fund to try and derail the CCPA, and are expected to continue their opposition in an effort to water down the new laws.

24% of C-suite members claimed the GDPR changes caused frustration with customers due to the extra steps needed to opt-in.

So just how is the CCPA different from the GDPR?

Well, whereas the GDPR applies to all companies, the CCPA only applies to larger companies, specifically those that satisfy these three conditions:

  1. They make more than $25 million in gross revenue
  2. They hold data on over 50,000 consumers
  3. They earn at least 50% of their income through data brokers (i.e., selling consumer data)

It’s understandable why the digital giants above are so opposed to this act, but there is another critical difference from the GDPR that may actually be the saving grace for these companies:

  • The CCPA is opt-out, meaning an individual consumer has to make the effort to do so if they don’t want their data collected or stored.
  • As such, marketers may be able to adhere to the laws without adding much friction to their marketing funnel and data collection processes.
  • Because of the opt-out nature of the CCPA, it doesn't have the same negative impact on marketing databases as the GDPR changes.

What the CCPA Means for Consumers

When the CCPA bill passed on May 29, 2019, many consumer protection groups celebrated, viewing this as a significant victory,

We live in a data-driven age, where companies leverage consumer data for personalized marketing, automated customer service, and laser-focused sales techniques.

This is a double-edged sword for consumers, as you can benefit from sharing more, but you run risks when companies aren’t taking care of your personal information.

“The Consumer Privacy Act will allow consumers to take control of and make informed choices about their own data, control that fosters a healthy relationship to technology and overall digital wellbeing,”

Under the CCPA, consumers have several fundamental rights:

  • Access - Request a full data disclosure from companies, accessing information that includes biometrics, internet browsing information, purchasing history, geolocation data, academic and employment information, and more.
  • Delete - If a consumer doesn’t like anything, they can request to have their data deleted.
  • Opt-out - Consumers have the right to opt-out so that a company cannot sell any of their data.

Ultimately, the CCPA gives consumers more transparency from companies so that they can have more control over their personal information.

What the CCPA Means for Companies

So, if your company fits the bill in satisfying the three aforementioned conditions above, it would be expected to adhere to the CCPA regulations, which are:

  • Companies must make data available upon request via mail or email.
  • Companies must provide information on data selling, including who they sell to, how, and why.
  • Companies must honor consumer requests to opt-out of data collection.
  • Companies must honor consumer requests to delete their personal information.
  • Companies must continue providing products and services to consumers, even if those consumers have chosen to opt-out.

With these new restrictions placed on companies, it's easy to see why big corporations haven't been so keen on the CCPA. It's clear that the act is designed for consumers.

But what about the companies? Can the CCPA benefit companies too?

How the CCPA Could Benefit Companies

All companies in California have to be in line. Therefore, the playing field in California is, technically, level, with no businesses holding any advantages over another.

Some may worry that they're losing an edge on their competition for business outside of California, but here’s the thing:

California is not just one of the fifty states in the United States - it’s actually the fifth largest economy in the world.

Data protection is a global movement, and consumers all over the world want to know their personal information is kept safe. Companies who take steps towards greater compliance will be viewed as more trustworthy by consumers both in California and further afield.

Furthermore, with the CCPA clamping down on data selling, companies must rely on first-party data. By working harder to collect their consumer data, they ensure its integrity and accuracy.

In the long run, having more accurate data will be a solid foundation for any data-driven marketing strategies. It’s feasible that the CCPA may bring companies and consumers closer together, fostering greater trust and understanding between them.

All About the California Consumer Privacy Act (CCPA)

What Happens if A Company Doesn't Comply With the CCPA?

The Attorney General (AG) of California is set to enforce a $7,500 penalty for intentional violations of the California Consumer Privacy Act. Also, if a company gets hacked, individual consumers may sue for $100-$750 per event, or possibly more if the damages cost more.

When you compare that to the GDPR, which gives EU regulators the power to fine companies over US$23 million, it’s quite easy to imagine a lot of businesses bending the rules of the CCPA. 

Despite its best intentions, there are some grey areas in the CCPA - most notable is the inclusion of a controversial "cure" provision. This provision effectively lets a company off the hook, providing they take certain steps to amend their data violation.

Many critics of the bill believed the California AG office would not be adequately prepared to police the CCPA law, and that companies might skirt the law, knowing they can rely on the “cure” loophole should they ever get caught.

A leading figure in a prominent privacy class-action firm, Jay Edelson, gave a damning review of the CCPA:

“Our view is that this is a disaster of a law because it scares the bejesus out of businesses and costs them a ton of money in compliance. But to us, it's totally toothless."”

Be aware of the CCPA

So many companies are not affected, due to their size. But what about big companies that deal with California residents? Their digital marketing team needs to be in line with it. Digital marketers should be establishing processes for collecting and storing data, with strategies to deal with data release requests from consumers.


Updated 2023

Ensure your digital strategy includes data protection

Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!  


Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.