Data Strategy Briefing — California Consumer Privacy Act takes effect
The California Consumer Privacy Act became effective on 1 January 2020, activating new rights for California residents and obligating businesses to provide notice, access, deletion, and opt-out controls with verifiable processes for data governance and vendor management.
Executive briefing: The California Consumer Privacy Act took effect on . Covered businesses must now provide notice at collection, honor access and deletion requests, and enable consumers to opt out of the sale of personal information. The act also mandates reasonable security measures and imposes service provider contract controls, reshaping data inventories and consent flows for firms handling California residents’ data.
What changed
- Consumers gain rights to know categories and specific pieces of personal information collected, sold, or disclosed.
- Businesses must provide clear opt-out mechanisms for data sales and verify requests, especially for minors’ data where opt-in is required.
- Service provider contracts must include restrictions on secondary use and retention, affecting vendor onboarding and audits.
Why it matters
- Activates new regulatory exposure, including statutory damages for certain breaches and enforcement by the Attorney General.
- Demands comprehensive data mapping, retention policies, and request-response workflows to meet timelines and verification standards.
- Influences product design, marketing attribution, and ad-tech integrations through opt-out and non-discrimination requirements.
Action items for operators
- Finalize CCPA notices and privacy policy updates detailing categories, purposes, and sharing practices tied to data inventories.
- Operationalize intake and verification for access, deletion, and opt-out requests, including processes for household and minors’ data.
- Review vendor and service provider contracts to ensure CCPA-required limitations on processing, sale, and retention are in place.