Free tools and resources for Data Protection Officers!

Does the California Consumer Protection Act (CCPA) have teeth?

On January 1st, 2020, the strictest privacy law ever passed in the United States will go into effect: the California Consumer Protection Act (CCPA).  This law will establish broad privacy protections and allow consumer interaction with previously private personal data across the United States.  Many have questions regarding the potential impact this new law will have on businesses, specifically as to whether these rules will have a positive impact on society.  To have a meaningful impact, the CCPA must exude authority and be enforced strictly.  Here is how the CCPA will show its teeth if you aren?t complying with the new law.

Financial impact

A 48-page research report released by California?s Department of Finance revealed the broad range of potential costs companies might face in order to become and remain compliant with the CCPA.  Researchers estimated that total compliance costs for all companies under the scope of the law will range from $467 million to $16.5 billion between 2020 and 2030.  Firms with fewer than 20 employees (the low end of the spectrum) may have to pay around $50,000 initially to become compliant.  On the upper tier, companies with more than 500 employees would average around $2 million in initial costs.  Large companies and small companies alike will feel the impact right from the beginning.  The total sum of initial compliance payments would be equivalent to 1.8% of California?s GDP- a staggering percentage. 

Scope of this impact

?While the CCPA is a California state piece of legislation as opposed to a federal one, the impact will be felt by companies across the nation and the globe.? The law will cover out-of-state merchants who sell to Californians or even display a website within the state.? Rather than create separate systems, lawyers are in consensus that companies will likely apply the CCPA rules nationwide. ?Even if these laws do not project across the country, however, it is estimated that 75% of California businesses earning less than $25 million per year would be impacted by this regulation.

Furthermore, as public opinion is now in favor of data protection laws, Congress could use the CCPA as a springboard for broader federal legislation.  House Speaker and California Representative Nancy Pelosi has strongly advocated for these protections federally.  So, while the law technically applies only to business within California, the CCPA could impact companies nationwide both in the short term and long term.

Penalties outlined in the CCPA

?Violations of the CCPA carry significant penalties for noncompliance, similarly to Europe?s privacy law, the GDRP.? Each transgression can cost companies up to $7,500, while consumers may sue firms for up to $750 if hacked.? These hacks raise a larger concern involving class action lawsuits allowed by a private right of action clause within the CCPA.? The provision for statutory damages resulting from a data breach will increase class action activity because of the breadth of possible claims from plaintiffs due to California?s broad data breach notification requirement, which is not limited to a risk-of-harm standard.? This will put companies who are subject to the CCPA at serious risk regarding class action lawsuits.

Furthermore, the CCPA will likely allow the plaintiff?s bar to bring Unfair Competition Law (UCL) claims, which prohibit businesses from engaging in unlawful, unfair, or fraudulent business practices.  The UCL allows plaintiffs to borrow violations of other laws, such as the CCPA.  Although the CCPA outlines in its first amendments of the data breach section that private right of action shall only be applied to data breaches, the UCL has proven successful in providing a pathway in order to use violations of other laws as leverage for claims.  The jargon behind these laws may seem confusing or broad, but companies must be aware of the possible risks they face when tackling the CCPA.  The GDPR has already issued fines up to 20 million pounds, and a similar storm seems to be barreling down upon businesses in America.

The CCPA has bite

The California Consumer Protection Act will change the face of American privacy law as we know it.? If companies are not properly prepared or informed about the future they face, the wide-reaching costs which will result from the CCPA, both internally and externally, will be an eye-opener.? The Silicon Valley has fought this legislation with hundreds of millions of dollars based on what they foresee happening in the future.? Make sure your company is prepared to deal with the CCPA.


At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale.