Data Privacy Law Update: The California Consumer Privacy Act

In 2018, two significant pieces of data privacy legislation were passed, across Europe, the EU General Data Protection Regulation (GDPR) and in the state of California, the California Consumer Privacy Act (CCPA). Previously, we’ve written about the GDPR and its impact for data privacy in the European Union. Here, we will provide an update on the breadth and scope of the CCPA. These new laws directly affect the jurisdictions in which they were enacted, and will also set global benchmarks for privacy legislation.

SOURCE: Twitter

SOURCE: Twitter


The California Consumer Privacy Act was passed in the California legislature, but it will have a broad reach and impact on businesses across the United States and around the world.

The CCPA specifically applies to businesses, and defines them as a company that is for-profit, does business in California and meets one (or more) of the following criteria:

  1. Annual gross revenues of $25 million+;

  2. Interacts with the data of 50,000+ California residents (where interact can mean the buying, selling or receipt of personal information);

  3. More than 50% of its annual revenues come from the sale of California residents’ personal information.

These criteria will have widespread application for a multitude of businesses. Even relatively small businesses will be subject to this legislation if they collect the data of more than 50,000 Californians. In addition, the gross revenue stipulation is not only in reference to revenues earned in California, but total revenues earned by a business anywhere in the world.

The CCPA gives consumers three main rights.

  1. The Right to Know: Businesses must disclose the personal data that they have either collected or sold.

  2. The Right to Opt Out: Businesses must inform consumers of their right to opt out of the sale of their personal data. If a consumer chooses to, they cannot sell their information unless that consumer opts back in, at a later date.

  3. The Right to Delete: Businesses must, at the request of a consumer, delete any personal data collected on an individual. This right has certain exceptions related to security concerns.

Personal information, as defined by the CCPA, is any “information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This wording is in response to the pervasiveness and importance of data in today’s society. Previous legislative definitions have defined personal information only as “individually identifiable information such as e-mail, telephone numbers or other specific identifiers.”

The CCPA goes on to provide examples of personal information in action, including “any electronic network activity, such as browsing history, information regarding consumer’s interactions with Internet websites or advertisements and inferences drawn from”. The CCPA seeks to protect consumers from businesses that desire to monetize and profit from their personal data.

In order to counter any potential discrimination that consumers could face as a result of exercising any of these rights, the CCPA also has a nondiscrimination clause. Businesses are not permitted to discriminate against a consumer for exercising any of these rights. The CCPA does allow businesses to motivate consumers to allow the collection and or sale of their data through financial incentives. This is putting the power and profit of monetized data back in the hands of consumers. This is one of the things that Sightline Innovation’s Data trust (SID) was designed to do.

SID comes to market at the perfect time in big data history.

SID is the only distributed AI software solution that allows data owners complete data sovereignty. At Sightline, we believe that data should belong to and be governed by those who create it. SID puts consumers in complete control of their data and gives them the means to monetize it. A Data trust establishes a technology framework that enables the control and sovereignty of data assets between trusted data partners. SID is for any organization that would like to share their data without sacrificing their ability to retain data ownership or benefit from related monetary gains.

The CCPA was originally intended to be a question on the ballot of the November 2018 midterm elections. In an effort to draft legislation that was more agreeable to both individuals and businesses, the California legislature unanimously passed AB 375, also titled the CCPA in June 2018. This new law will go into effect in 2020.

As a result of the broad and significant impact of this new legislation, the U.S. Senate Committee on Commerce, Science, and Transportation held hearings on consumer data privacy. Currently, specific data privacy legislation exists in some sectors. There is no federal legislation that broadly applies to the ownership and protection of individuals’ data. There is an opportunity for the U.S. Congress to introduce national legislation that would supersede the CCPA and there would be a benefit, to increase the clarity and consistency of regulation across the U.S.