In the US, we often notice that what starts in California will eventually spread to the rest of the country. Whether it's related to fashion, culture or legal issues, if it starts in the golden state there's a good chance it will spread east in the US. Think about blue jeans and the modern-day plastic hula hoop as just two examples.

With that in mind, it came as no surprise when, on June 28, 2018, California Governor Jerry Brown signed into law another "first" – the most comprehensive (and the first statewide) consumer privacy law in the United States, known as the California Consumer Privacy Act (CCPA). Effective in 2020, the law will apply to any for-profit business that collects California residents’ personal information, does business in the State of California, and: (a) has annual gross revenues in excess of $25 million; or (b) buys, sells, receives or shares for a commercial purpose the personal information of 50,000 or more California residents, households or devices annually; or (c) derives 50 percent or more of annual revenues from selling California residents’ personal information.

And what about recourse? Consumers may be able to sue for up to $750 for each violation, while the state attorney general can sue for intentional violations of privacy at up to $7,500 each. For both consumer and state lawsuits, companies must be given 30 days to fix the problem.

With California’s population at an estimated 40 million people, it's hard to think of many companies that won’t be impacted by this law.

What is personal data?

From an summary: "The CCPA broadly defines the term "personal information" as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." As you can imagine, in this digital age numerous data points will be affected by the CCPA definition of personal information. And to make it even more daunting – companies only have until January 2020 to have their house in order to meet this regulation.


What are some of the rights under the new law?

The new law will give residents the right to:

  • Ask for the business reason for collecting their information.
  • Know all the data that a business has collected about them.
  • Refuse the sale of their data/information.
  • Delete the data a company has about them.
  • Agree to a mandated opt-in before the sale of children’s information (under the age of 16).
  • Know the categories of third parties with whom their data is shared.

Some have questioned this new law, wondering if it was passed as a mid-term “stunt” to sway the favor of voters, and whether individuals really care that much about how companies are processing their data. A recent survey from SAS, however, sheds light on Americans' views toward data privacy.

The survey says?

2018 SAS survey of 525 US adult consumers reveals big concerns about data privacy. In the wake of recent data scandals and the implementation of the General Data Protection Regulation (GDPR) in the EU, US consumers are increasingly worried about their personal data privacy. We asked Americans how concerned they were, how that affected their behaviors and trust of companies, and what should be done about it. Here's a summary:

  • 73% said concern over the privacy of their personal data has increased in the past few years.
  • 66% have taken steps to secure their data, like changing privacy settings, removing a social media account or declining terms of agreement.
  • 67% of US consumers think the government should do more to protect data privacy.

What they would like to see done:

  • 83% would like the right to tell an organization not to share or sell their personal information.
  • 80% want the right to know where and to whom their data is being sold.
  • 73% would like the right to ask an organization how their data is being used.
  • 64% would like the right to have their data deleted or erased.


State and local government entities managing large volumes of California consumer data, please contact Stephanie Kreiter, or Jessica Marchiori, regarding a consumer data privacy assessment, and to receive recommendations and an individualized consumer data privacy roadmap.