The California Consumer Privacy Act (CCPA), enacted in 2018 and taking effect on January 1, 2020, gives consumers in California additional rights and protections regarding how businesses may use their personal information.1 The CCPA imposes many obligations on businesses that are similar to those required by the General Data Protection Regulation (GDPR) enacted by the European Union (EU). Nonetheless, a business that already complies with the GDPR may have additional obligations under the CCPA.

Scope and Cost

According to estimates prepared by Berkeley Economic Advising and Research, LLC., for the Standardized Regulatory Impact Assessment released in August 2019, the CCPA will protect personal data worth over $12 billion that is used in advertising in California each year. The cost of compliance with the draft regulations, but excluding general compliance costs with the underlying CCPA law, is estimated in the same report to total somewhere between $467 million and $16.454 billion in the period from 2020 to 2030.

Implementation and Concerns

While the CCPA took effect on January 1, 2020, enforcement, including the imposition of fines, will be delayed until June. Internet-based businesses, many of which are based in California, have been among the most vocal opponents of the law, arguing instead for U.S. federal legislation that would set uniform standards across the nation. Part of their concern is that each violation of the CCPA potentially could trigger thousands of dollars in fines, which can add up to massive amounts across perhaps millions of users in California alone.