5 Things to Know: California’s New Consumer Privacy Law

There’s plenty of discussion on what California's new consumer privacy law, CaCPA, will mean. Here’s a rundown on what we know about it now.

Just when we all had gotten used to what GDPR stands for, those in the data privacy space have a new collection of letters to get to know: CaCPA.

That’s the emerging abbreviation of choice for a recently signed piece of California regulation called the California Consumer Privacy Act of 2018.

The law, which goes into effect Jan. 1, 2020, has already been called “the GDPR of the U.S.” There’s plenty of analysis of the new law circulating around the web right now speculating on how much of an impact the regulation will have. Here’s a rundown on what we know about it now:

1. Who?

The law applies to the personal data of California residents. Companies doing business in California, handling resident data, and meeting any of the three following criteria must comply:

  • $50 million or more in annual revenue
  • Selling the personal information of more than 100,000 consumers per year
  • Receiving 50% or more of their annual revenue from selling consumer information

2. What?

The core of the CaCPA revolves around three main tenets:

An article fromTripwire has a great, plain-language rundown of the basics of the law.

3. When?

The law goes into Jan. 1, 2020. This seems to be a double-edged sword. It both gives companies time to prepare and the California legislature time to make changes, if they see fit. Stay tuned.

4. Where?

California only, for now. Though some industry analysts expect this law to be a template for wide-reaching consumer data privacy regulations for other U.S. states.

5. Why?

In short, data breaches. The legislators who shepherded the law through the California legislature (in only a week’s time, by the way) said as much in the press release announcing the bill’s passage:

“[The CaCPA] responds to the recent data breaches that have affected millions of people – those experienced by Target, Equifax, Cambridge Analytica, and many more. The collection of our information combined with data breaches has raised concerns from Internet users worldwide.”

So What Now?

Will this mark a major shift in U.S. privacy law? Many analysts believe that this will be the first domino to fall as other states emulate this law and as many businesses who have customers in California seek to comply.

Others believe it will finally prompt Congress to pass a federal privacy law. No matter the long-term impacts, the law is a definite recognition that that the public’s concerns over data privacy are not going away.

As of yet, the CaCPA does not require privacy awareness training, like the GDPR does. But maybe it should. Check out our privacy awareness program offerings, or our free privacy awareness resources

Share this Post

Get Free Privacy Awareness Resources

Show Me

Related Posts

A lack of GDPR awareness among U.S. employees is just one key statistic found in MediaPro's 2018 Eye on Privacy report analyzing data privacy knowledge.
Report: 6 in 10 US-based Employees Unaware of GDPR
We've literally written the book on comprehensive employee cybersecurity and data privacy awareness programs based on 20+ years of e-Learning expertise.
White Paper: A Best Practices Guide for Comprehensive Employee Awareness Programs
In honor of Data Privacy Day on Jan. 28, we're presenting some quick best practice tips for effective privacy awareness programs.
Delivering Data Privacy: 3 Best Practices for Privacy Awareness Programs
70% of employees polled in MediaPro's second annual State of Privacy and Security Awareness Report struggled with cyber awareness.
Report: 7 in 10 Employees Struggle with Cyber Awareness