Law in the Internet Society

The new kid on the Block: CCPA and US Data Protection

-- By EricN - 26 Jan 2020

The internet user’s perception of data protection and the awareness about the use and storage of one’s personal data has enormously changed in recent years and countries all over the world are either working on or have already implemented new rules and regulations, providing their citizens the legal tools to (purportedly) do something about the potential misuse of their data. The implementation of the GDPR has definitely started a certain movement and this article wants to explore the recent shift in US data protection. With the California Consumer Protection Act (CCPA), a new landmark legislation came into force and the message of the new kid on the (privacy) block is clear: I cannot be ignored! So, it has to be asked if this historic shift in US privacy regulation changes anything? The signs are clear: yes, something has definitely changed!

US Data Protection in a nutshell

Although the Federal Trade Commission (FTC) has the authority to enforce data protection regulations on a federal level, there is no federal data privacy law in the US. Instead, most states have regulated privacy in one way or another on a state level. However, these regulations on a state level have various overlapping or incompatible provisions. For example, all states have data breach notification laws, but there are, for example, different definitions of what constitutes personal data and what constitutes a data breach (The U.S. Approach to Privacy Protection). In one word, US data protection is a patchwork.

The new kid: California Consumer Protection Act

Since January 1, 2020 the CCPA is in force hand its main goal is to primarily protect the personal data of consumers (at least for Californian consumers) and give them better control over their data. Despite the good intention of Californian lawmakers, the general tone in the jurisprudence is that the law is poorly written – it’s more than 10’000 words, which is undeniably very long for such a law – and according to Goldman “insanely complicated” (Eric Goldman, Internet Law: Case & Materials, July 2019 version). But the CCPA will be the toughest and most comprehensive data privacy law in the United States and it is hardly a coincidence that it comes from California (California is not only the largest economy in the United States, but also the world’s fifth largest economy: California at a Glance).

Consumer Rights

The CCPA empowers consumers in California with enhanced privacy rights (Section 2 CCPA), such as the right to access personal data that companies have collected from them and to demand deletion of such personal data. Unlike any other data protection law enacted (worldwide), the CCPA also requires companies to install an opt-out link on their website, allowing consumers to opt out of sharing their data with any third parties (Data Protection Report 2019).

Operational Impacts

This last consumer right has already led to visible changes: since January 1, 2020 many homepages have added a “Do Not Sell My Personal Information”. If the consumer is ready to accept his enhanced privacy rights, companies will definitely feel the impacts of the CCPA.

Why should companies care? The penalties under the CCPA are not as high as the potential penalties lurking overseas in Europe for GDPR non-compliance. The maximum penalty of $ 7’500 for intentional violations of the CCPA do not scare the big technology companies, which were essentially the ones who pushed back the hardest against the implementation of the CCPA (Tech Lobbyists Push to Defang California's Landmark Privacy Law). I think it’s the competition and the domino-effect they fear: once your main competitor claims he’s CCPA compliant, you are pressured to follow, because due to the increased privacy awareness, customers actually will perceive this and act accordingly. If you do it right, it could even be a marketing advantage.

CCPA – I came to stay!

California is definitely a pioneer in the legalization of data protection rights in the United States and the CCPA has set something in motion. Although the law only applies to California based companies who meet certain thresholds, it must also be observed by out-of-state merchants who sell to Californians (and as said, California is the world’s fifth largest economy). There is chance that companies will not create to different data protection systems, but rather apply the rules of the CCPA nationwide (Here Comes America’s First Privacy Law: What the CCPA Means for Business and Consumers).

The CCPA has influenced 11 states to introduce similar legislation, which all include their own, slightly different version of consumer rights. These movements amplify the problem of a data protection patchwork, but it might also motivate companies to implement a nationwide data protection compliance, or it even might result in efforts of the US Congress to step in and implement national comprehensive data privacy legislation.


After the endeavors many companies faced in May 2018 to get compliant with the GDPR, the CCPA has undoubtedly put the next regulatory challenge upon many US companies. Peer pressure and the enhanced consumers privacy awareness are just two of many arguments why US companies cannot ignore the CCPA. In terms of implementation costs, manpower and inexistent financial added value, these companies are facing a compliance nightmare, but none of them can afford to do nothing. So the CCPA has definitely changed how affected companies handle consumer data in the future and this is a good thing. If the CCPA were just empty words, it would not have been as strong politically opposed as it was.

The tools do something about consumer privacy are there, but so far, they were poorly used (only three out of ten European citizens have heard of their new privacy rights: One year of GDPR application). Has the CCPA changed anything? Definitely yes. The CCPA has not only set data protection legislation in various other US States into motion, it also helped to further increase the privacy awareness of US consumers. In the end, it is up to all of us to start appreciating the value of our data and start using the tools that were given to us by legislation like the CCPA. The new kid on the block definitely has set something in motion.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 26 Jan 2020 - 15:01:38 - EricN
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM