CCPA: What you need to know

The California Consumer Privacy Act takes effect on January 1st, 2020. If you’re a dev or work for a software company, this affects you.

Patrick Walsh
Mar 22, 2019 · 6 min read

The California Consumer Privacy Act takes effect on January 1st, 2020. But it has provisions that reach back to January 1st, 2019. If you’re a software developer or work for a software company, it’s reasonably likely that CCPA is going to impact your roadmap, your website, and existing or planned features in the near future.


The California Consumer Privacy Act (aka CCPA or AB 375) of 2018 shot through the California legislature in seven days. It was going to be on the November ballot, and legislators feared it would become law without any opportunity for stakeholders (lobbyists and such) to weigh in and help shape it. The sponsors of the initiative agreed to take it off the ballot if the legislature would pass the bill within a deadline, which they did. In the process, they watered parts down, such as eliminating monetary rewards for whistle-blowers.

Does it even matter?

This law doesn’t apply to all businesses. It’s primarily targeted at large tech companies and data brokers. Where it does apply, it’s possible and maybe even likely that the law will be preempted or watered down before it goes into effect.

What does it do?

Although CCPA has been described as GDPR-light, it is in no way light on requirements or penalties. CCPA is focused on these core principles:

  • Control: consumers get the right to opt-out (or opt-in for minors) of the sale of their data. Consumers also have the right to see their data, the right to have it erased, and, perhaps most significantly, the right to privately sue for damages if a company gets breached (side note: a pending amendment would also give consumers the right to privately sue for privacy failures).
  • Data security: companies are liable for both fines and civil suits (individual or in classes) for any personal information that they fail to protect from hackers or other misuses (i.e., internal employees looking at data without a business purpose for doing so).

What are the penalties?

If a company does not adhere to the consumer rights in the bill, they can be fined $2,500 per violation, which the writers of the law intended to be per person per incident. There are provisions for this to be adjusted down in some cases and at the discretion of the Attorney General.

What businesses are impacted?

The law is generally aimed at two classes of businesses:

  • Medium and large companies: companies with greater than $25 million in annual gross revenues.


CCPA’s most significant contribution will be a massive increase in transparency of data collection and behind-the-scenes flows of that data. Consumers don’t have to give over their data unless absolutely required for the service, which means things like giving up an email address before getting access to a white paper will no longer be lawful. And buying credit monitoring services will no longer be sufficient to stop liability for data breaches. Most importantly, the law is likely to spread well beyond residents of California and to change many practices in the tech industry. Compliance initiatives should start immediately.

Dive Deeper

This blog barely scratches the surface, but we dove quite a bit deeper in our analysis. We break out the consumer rights, business obligations, exemptions, and likely impact in our 13-page white paper (and you’ve already read the first 5 pages). Dive deeper here:

If you enjoyed this post, please click the 👏 button to help others find it! Feedback, critiques, and debate are all welcome.

how hackers start their afternoons.

Patrick Walsh

Written by

Scholar, dreamer, creator, adventurer, hacker, leader and observer. Advocate for privacy and security. CEO IronCore Labs.

how hackers start their afternoons.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade