Does the California Consumer Protection Act (CCPA) have teeth?

On January 1st, 2020, the strictest privacy law ever passed in the United States will go into effect: the California Consumer Protection Act (CCPA).  This law will establish broad privacy protections and allow consumer interaction with previously private personal data across the United States.  Many have questions regarding the potential impact this new law will have on businesses, specifically as to whether these rules will have a positive impact on society.  To have a meaningful impact, the CCPA must exude authority and be enforced strictly.  Here is how the CCPA will show its teeth if you aren?t complying with the new law.

Financial impact

A 48-page research report released by California?s Department of Finance revealed the broad range of potential costs companies might face in order to become and remain compliant with the CCPA.  Researchers estimated that total compliance costs for all companies under the scope of the law will range from $467 million to $16.5 billion between 2020 and 2030.  Firms with fewer than 20 employees (the low end of the spectrum) may have to pay around $50,000 initially to become compliant.  On the upper tier, companies with more than 500 employees would average around $2 million in initial costs.  Large companies and small companies alike will feel the impact right from the beginning.  The total sum of initial compliance payments would be equivalent to 1.8% of California?s GDP- a staggering percentage. 

Scope of this impact

?While the CCPA is a California state piece of legislation as opposed to a federal one, the impact will be felt by companies across the nation and the globe.? The law will cover out-of-state merchants who sell to Californians or even display a website within the state.? Rather than create separate systems, lawyers are in consensus that companies will likely apply the CCPA rules nationwide. ?Even if these laws do not project across the country, however, it is estimated that 75% of California businesses earning less than $25 million per year would be impacted by this regulation.

Furthermore, as public opinion is now in favor of data protection laws, Congress could use the CCPA as a springboard for broader federal legislation.  House Speaker and California Representative Nancy Pelosi has strongly advocated for these protections federally.  So, while the law technically applies only to business within California, the CCPA could impact companies nationwide both in the short term and long term.

Penalties outlined in the CCPA

?Violations of the CCPA carry significant penalties for noncompliance, similarly to Europe?s privacy law, the GDRP.? Each transgression can cost companies up to $7,500, while consumers may sue firms for up to $750 if hacked.? These hacks raise a larger concern involving class action lawsuits allowed by a private right of action clause within the CCPA.? The provision for statutory damages resulting from a data breach will increase class action activity because of the breadth of possible claims from plaintiffs due to California?s broad data breach notification requirement, which is not limited to a risk-of-harm standard.? This will put companies who are subject to the CCPA at serious risk regarding class action lawsuits.

Furthermore, the CCPA will likely allow the plaintiff?s bar to bring Unfair Competition Law (UCL) claims, which prohibit businesses from engaging in unlawful, unfair, or fraudulent business practices.  The UCL allows plaintiffs to borrow violations of other laws, such as the CCPA.  Although the CCPA outlines in its first amendments of the data breach section that private right of action shall only be applied to data breaches, the UCL has proven successful in providing a pathway in order to use violations of other laws as leverage for claims.  The jargon behind these laws may seem confusing or broad, but companies must be aware of the possible risks they face when tackling the CCPA.  The GDPR has already issued fines up to 20 million pounds, and a similar storm seems to be barreling down upon businesses in America.

The CCPA has bite

The California Consumer Protection Act will change the face of American privacy law as we know it.? If companies are not properly prepared or informed about the future they face, the wide-reaching costs which will result from the CCPA, both internally and externally, will be an eye-opener.? The Silicon Valley has fought this legislation with hundreds of millions of dollars based on what they foresee happening in the future.? Make sure your company is prepared to deal with the CCPA.


At oneDPO, we solve privacy engineering problems and help companies approach privacy the right way. Currently, we provide tools to help Data Protection Officers (DPOs) handle Data Subject Requests (DSARs) at scale.

Data Protection And Privacy Laws Across The World

We have talked at length about GDPR implementation across the European Union  in our previous posts. However data protection and privacy has been acknowledged as a concern across the world. Implementation of GDPR like laws is not just a global trend but a requirement to ensure international trade and e-commerce. Data protection laws in different countries may be named differently and may have different levels of stringency, but the basic principles remain the same and can be summarized as follows.

Continue reading »

Personal Data Sharing: Are We Really in Control?

The latest controversy surrounding personal data and how it?s shared has served as a tremendous eye opener regarding how much control we really have over our personal data online. We would like to think that the implementation of the GDPR earlier this year would tip the balance in our favor?but instead, the situation is foggier than ever, and the struggle over the control of our data is only just beginning.

Continue reading »

Latest bits on privacy and cybersecurity #6

Collection of latest articles and reports on privacy, data protection and cybersecurity.

What can we learn from Google €50 million fine?

On 21 January 2019, French data protection authority Commission Nationale de l?Informatique et des Libert?s (CNIL) imposed a penalty in amount of ?50 million onGoogle?s U.S. headquarters ? Google LLC ? for infringements of General Data Protection Regulation (GDPR). Specifically, for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

Continue reading »

Happy Data Protection Day!

Today is international Data Protection Day. Yes, that?s official day! Data Protection Day, or as it is called outside Europe ? Privacy Day, is celebrated each January 28th already since 2007.

Continue reading »

I am happy to announce, that my side project – – is live and open to public. The primary aim of project is to create and collect guidance and resources for data protection officers (DPOs) and everyone else interested in privacy and data protection. is a living project – I will add more resources and functionality to website. And I hope you will both find the project useful and will help it grow – by adding resources and spreading the word.

There are still many functionality and parts to be added – like possibility to add resource by anyone directly from website. But we’ll get there with time. At the moment – please use contact form on the site. Or just email me links to resources that may be useful to others interested in privacy and data protection.