As most large companies probably already know (and if you don’t, I’m glad you’re here), the California Consumer Privacy Act (CCPA) recently went into effect after a two-year grace period to allow companies to comply.
This grace period is similar to the one given by the EU when they passed the GDRP, and I suggest reading my blog post about that as well if you’re looking for more information on these consumer privacy laws.
California was the first state to dramatically expand consumer protections that are related to privacy and security here in the U.S. They were also the first state to have a data breach notification law, so the CCPA doesn’t come as a big surprise. California is a leader in technology, with Silicon Valley being the birthplace of the modern internet as we know it, so it makes sense that California would be the pioneer for American privacy and security regulations online.
As to how and why the CCPA came about, here is some background information. The CCPA was hastily drafted and passed in 2018. It was put together practically overnight as a compromise solution that was made with the sponsors of a proposed initiative measure, Number 170039, a citizen ballot measure that would have created the Consumer Right Privacy Act of 2018.
The Consumer Right Privacy Act would have been a quite harsh and very anti-business law, so compromises were made. A legal reality in California is that a citizen-passed initiative that then becomes a ballot measure, and in turn becomes law is very difficult to amend.
So, if substantial changes were to be made it had to be before the law was passed. Ultimately what happened is the CCPA was put forth as a replacement for the ballot measure and was passed at the last minute, the day before the deadline to remove initiative measures from the ballot. It can be inferred that the tech industry really did not like the ballot initiative, with the drastic measures taken to compromise on the bill.
As expected of a hastily put together law, the CCPA is a bit of a mess. Well, a lot of a mess. But the rules and regulations put forth must still be followed, so in my next blog post, I’ll tell you all about how the CCPA works and what it requires. I’ll see you next time.