News & Resources

California Consumer Protection Act…The Clock is Ticking


At this time last year, we were talking about the clock ticking towards the General Data Protection Regulation (GDPR). As you’re probably aware GDPR went into effect on May 25, 2018 and arguably sets the highest standards for data protection. GDPR has forced many companies globally to update their data protection practices and improve their compliance programs.

 This year the clock is ticking again, but this time it’s for the California Consumer Protection Act (CCPA). In June 2018 the California legislation passed the California Consumer Protection Act (CCPA). CCPA is the first U.S. effort at a comprehensive data protection law and will go into effect on January 1, 2020, a little more than 10 months away. CCPA affects companies doing business with California citizens that Have annual revenue that exceeds $25M, or buy, receive, sell, or share personal information on 50,000 or more CA households or devices, or derive 50 percent or more of annual revenue from selling consumer personal information

 Like GDPR, CCPA encourages transparency and gives individuals the right to control their data. But what impact will CCPA have and why should you pay attention to CCPA? California has the fifth largest economy in the world and will surpass 40 million residents in 2019.  California may not be the largest state but has significant influence with other states. What this potentially means is CCPA could become the benchmark that other states use to develop and implement their data protection laws and has the possibility to become as significant as GDPR.

 If you’re a business that is affected by CCPA you should begin working towards CCPA compliance as soon as possible. One of the primary questions I receive is, “if I’m GDPR compliant, am I CCPA compliant?”.  CCPA includes some data protection guidelines like GDPR, but the CCPA and GDPR are separate regulations. Compliance with one of the regulations doesn’t necessarily mean compliance with the other. Below are the key differences between CCPA and GDPR.

 If you need to assess your readiness for CCPA or GDPR contact Crayon at




Who it Protects

Consumers who are California residents

EU (European) Citizens and Residents

Personal Information

Any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household”

Any information relating to an identified or identifiable natural person, directly or indirectly.

Rights Granted

5 Rights Granted:


  1. Right to Disclosure
  2. Right to Deletion
  3. Right to Access
  4. Right to Opt-out
  5. Right to Non-discrimination


8 Rights Granted:


  1. Right to Be Informed
  2. Right of Access
  3. Right to Rectification
  4. Right to Erasure (to be forgotten)
  5. Right to Restrict Processing
  6. Right to Data Portability
  7. Right to Object
  8. Right in Relation to Automated Decision Making and Profiling

Right to Portability

The right to data portability only applies to the personal

data that has been provided by the data subject themselves

and that is processed on the basis of consent or contract

and the processing is carried out by automated means

The right to data portability is an extension of the right to

access, and therefore it is subject to the same limitation (e.g. it only applies to data collected in the previous 12 months).

Rights to Deletion / Right to Erasure

A consumer shall have the right to request that a business delete any personal information the business has collected


A business that receives a verifiable request from a consumer shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records

Data Subjects can request that businesses (controllers and processors) delete or forget their personal data. Data Subjects have the right to ask businesses to provide proof that their data has been removed. Additionally, businesses must contact everyone that they transferred the data to and ask them to delete the data.

Who Must Comply

California for-profit businesses that:

  • Have annual gross revenue of $25 million or more
  • Collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices or
  • Derives at least 50% of its annual revenues from selling consumers’ personal information

All companies if they have employees that are EU citizens and / or they are doing business with EU companies, citizens and residents

Legal Basis

The CCPA does not have a list of “positive” legal grounds

required for collecting, selling or disclosing personal


The GDPR provides that the processing of personal data will only be lawful where one of the six grounds under Article 6 is fulfilled:


  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public Task
  6. Legitimate Interests

Time Allowed to Respond to a Request

Within 30 days

Within 45 Days

Supervisory Authority

The Attorney General is expected to create regulations

“on, but not limited to,” specific areas of the CCPA.


The Attorney General has the power to assess a violation of the CCPA. The CCPA does not specify which activities are included in this assessment.

Data protection authorities have the task to promote

awareness and produce guidance on the GDPR.


Data protection authorities have investigatory and corrective powers.

Enforcement / Financial Penalties

Civil penalties can be issued meaning that the penalty is issued by a court. Depending on the violation occurred the penalty may be up to:


  • $2,500 for each violation;
  • $7,500 for each intentional violation

Administrative fines can be directly issued by a data protection authority.

Depending on the violation occurred the penalty may be up to either:

  • 2% of global annual turnover or €10 million, whichever is higher; or
  • 4% of global annual turnover or €20 million, whichever is higher

Complete the Free GDPR Awareness Questionnaire here.