The California Consumer Privacy Act - What You Need to Know

In what may go down as one of the least surprising cybersecurity developments of 2018, the California state legislature has passed the California Consumer Privacy Act (CCPA), a data protection law that brings the key concepts of Europe’s GDPR onto American shores.

When it takes effect in 2020, the CCPA will create a set of obligations for businesses and rights for consumers, including new consent requirements, new mandated disclosures, a right to opt out of data collection, and a right to request deletion of personal information. The law also provides for new penalties when companies expose unencrypted personal information to theft or misuse. Sound familiar?

Of course it does. Once GDPR was on the books in Europe, it was only a matter of time before a similar law appeared in the US. The fact that a large percentage of American companies already have to comply with GDPR—because they do business in the EU—eliminated much of the political resistance that the CCPA would have met if it had been proposed a few years ago. And California, as the center of the US tech industry and the country’s pace-setter for tech law, was the natural place for such a law to appear. The Cambridge Analytica scandal (which is actually mentioned in the bill) sped up the process, and the CCPA was passed only a few days after being introduced.

So what’s next?

As with the GDPR, the CCPA might undergo rounds of amendment and revision before it takes effect. Companies like Google and Facebook are already pushing for changes to the law’s requirements and clarifications on how the law will be enforced. As the uncertainties get ironed out, other states will likely follow California’s example and pass similar laws of their own, bringing the US closer to a standard model of data protection.

With that in mind, here’s a look at some of the most significant aspects of the country’s newest cybersecurity law:


The CCPA applies to any company that collects or provides the personal information of California residents and meets one or more of the following criteria:

  • Has $25 million or more in annual sales
  • Buys, sells, or shares information on 50,000 or more individuals, households, or devices
  • Derives more than half of its annual revenue from selling personal information

Consumer rights

The CCPA creates a variety of new rights for California residents whose personal data is collected, processed, or sold by companies that are covered by the law:

  • The right to request information about what types of data a company a company has collected, the purpose of collecting it, and the names of companies to whom the data was sold
  • The right to opt out of data collection or sale
  • The right to request deletion of personal data

Like the GDPR, the CCPA sets criteria for when consumers may exercise these rights, and circumstances under which companies are exempt from complying with consumer requests.


Like the GDPR, the CCPA defines penalties that may be applied when companies expose personal information or otherwise fail to meet their privacy and security obligations. One unique aspect of the California law is that it sets specific dollar amounts that consumers can collect from companies in the event of a breach. A consumer can sue for between $100 and $750 without having to prove that they were actually harmed by a data breach, and can collect much more if they are able to demonstrate material harm.

Also like the GDPR, the California law only applies these sanctions if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate data-level measures, it cannot be used by unauthorized parties, so consumers are left unharmed.

Smartcrypt can help

Protecting sensitive data should be the top concern for any company that will need to comply with the California Consumer Privacy Act. PKWARE’s Smartcrypt provides the data protection capabilities organizations need in order to keep consumer information safe, whether the data is located on mainframe systems, file servers, employee laptops, or mobile devices.

Smartcrypt’s integrated data discovery and classification technology can also facilitate compliance with consumer requests for deletion or for copies of their own information, especially when data is located in documents, spreadsheets, or other forms of unstructured data.

PKWARE’s Smartcrypt is the only data security platform that integrates data discovery, classification, and protection into a single workflow. With Smartcrypt, you can find, protect, and manage sensitive data across the entire organization from a single point of control.