• Technology
  • June 17, 2020

CCPA: the US Answer to GDPR - California Dream or a Data Protection Nightmare?

It seems that all we have heard about for the past year is GDPR, and it’s not over yet. Just this week we've heard how the UK data watchdog intends to fine Facebook the maximum amount of £500,000 for a data breach. Just as the dust starts to settle, and the influx of consent emails from big companies dies down, the US has jumped on the data privacy bandwagon. The State of California has passed a new digital privacy law, the ‘California Consumer Privacy Act’, which comes into force in January 2020. 

What is the California Consumer Privacy Act (CCPA)?

This new law affords consumers more control over their personal data in an online context. Consumers will have the right to demand that companies disclose the information they hold on them, and tell them the reason they hold it and who they share it with. Consumers may also ask companies to delete their information, and forbid them from sharing their personal data with others. Similarly to GDPR, fines for breaches will be higher than before. 

California isn’t the only US state having a rethink about data privacy.

In May, Vermont passed the first US law regulating data brokers (companies that sell individuals’ personal information). Data brokers will be required to register with the government, give people information on the data they hold on them (and how they can opt out from this), have certain policies and procedures in place, and report to authorities if there is a breach. California’s legislation is broader than that of Vermont; however, it is expected that the California standards will quickly spread throughout the whole of the US, especially since many companies (mainly in the tech sector, which will be mostly impacted by the law) are headquartered in California. 

How is privacy currently protected in the US?

Currently, the US has a patchwork of regulation governing data privacy. The US has taken a sector-specific and state-specific approach, meaning that while personal data is protected there is no federal blanket protection on an individual’s data. The current law in California already requires companies to disclose data breaches to Californian residents when their personal data has been compromised. California was also the first state in the US to require security breaches to be notified. It seems that California is, once again, leading the charge on the reform of privacy laws. 

Do US companies have a good grasp of GDPR?

GDPR came into force on 25 May 2018 and covers all companies processing or controlling personal information on EU residents, regardless of where the business is located. It seems that many US firms are not compliant with GDPR. A small number of US companies still appear to be unaware of the law. US firms are advised to create a ‘data map’, which sets out all the personal data of EU residents held by the business, and whether the firm is acting as a data processor or a data controller in respect of that data. Firms should then determine whether they have a valid legal basis for holding that data, or whether they require individual consent. They should also consider appointing a data protection officer. This is a huge project for a lot of firms, and indeed many EU firms are still getting to grips with the new requirements. US firms are encouraged to put some resource into implementing appropriate and effective policies and procedures to ensure that the data of EU residents is adequately protected. It is also true, however, that improved data protection policies can result in overall business gains, GDPR can have a positive impact on what you do.

What should UK firms be doing about the new law?

The California Consumer Privacy Act is not as extensive as GDPR, and so it is likely that UK and EU firms that currently comply with GDPR will broadly comply with the Californian regime. Nonetheless, if UK and EU firms are operating in California, or indeed holding data in respect of individuals resident in California, then it is advised that a gap analysis between the EU and Californian laws is carried out to determine if there are any areas which might need to be specifically addressed.        

In Summary

It seems that other countries will eventually catch up with the EU’s work on data privacy, and it doesn’t appear to be the case that the reforms in California and Vermont will end with those states. Regardless of where the laws legally apply, consumers are coming to expect more from companies, and expect their data to be kept safe and secure. UK and EU firms operating in the US should keep a watching brief on developments in the US, making note of any US-specific idiosyncrasies that they should build into their data protection processes. And US firms that are not currently compliant with GDPR should take immediate steps to ensure compliance. It looks as though the same principles will apply throughout the US soon enough anyway! We hope that you have found this article useful but often some expert legal advice is needed so please feel free to contact LawBite if you have any questions or need help with drafting your contracts. You can take advantage of the free 15 minute legal consultation or the contract review service by calling the LawBite team on 0207 148 1066 or entering an enquiry here. Equally, feel free to contact the GDPR support team if you have any professional GDPR legal advice by calling our GDPR hotline 0845 241 1843 or entering an enquiry online here.

Journey further… How LawBite works LawBite GDPR Rescue Package LawBite GDPR Products and Services  

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • May 01, 2022
What are Articles of Association?

Setting up a limited company is one of the most common routes entrepreneurs take when they start their business. If you have decided to take this r...

blog image
  • By LawBite Team
  • May 01, 2022
Do I need a privacy policy on my website?

The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on...

blog image
  • By LawBite Team
  • April 13, 2022
Understanding Conflict of Interest (COI)

One thing our lawyers consistently emphasise to our clients is the importance of having well-considered and expertly drafted documentation, for exa...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free