Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

California Consumer Privacy Act: Prepare now to gain an advantage

Early preparation is vital to avoid a last-minute panic and unforeseen risk

The California Consumer Privacy Act (CCPA) will usher in a new era of data privacy when it comes into effect on 1 January 2020. The Act will bring European-style privacy requirements to businesses that collect and control California residents’ personal information, do business in the state, and meet certain revenue thresholds.

While complying with the Act will take effort and resource, it will also help you better serve customers. Recent high-profile privacy cases, such as the Facebook-Cambridge Analytica scandal, have made consumers more aware of how their data is managed and the choices they have. So, preparing for the CCPA now can set you apart from your competitors.

Our work on over 50 privacy projects in the last year (largely helping global organisations respond to the EU General Data Protection Regulation has taught us that early preparation is vital.

Adhere to the spirit of the California Consumer Privacy Act

Given the strong and open opposition to the CCPA by some companies, the final compliance requirements will likely evolve before it comes into effect.This makes adhering to the spirit of the regulation, rather than the letter, the most sensible option. It’s essential to understand your privacy capability gaps and define your operating model around data privacy, with specific capabilities, roles and responsibilities.

You need to get your operation ready, from understanding how you’ll engage customers and handle their inquiries, to knowing how you will cope minute-by-minute in the wake of a data breach. Only by going through this process will you fully realise the day-to-day impact of the CCPA. At a minimum, your operating model will need to consider:

  • how you maintain your inventory of personal data. This is an implicit requirement of the CCPA – without knowing where personal data is processed in your organisation, it’s hard to action requests from customers. It’s especially important to identify ‘shadow IT’and associated data that may not be immediately obvious.
  • how you respond to requests, such as the right to deletion or right to opt-out. The CCPA establishes broad rights for California residents that you must be able to action.
  • how you make your employees aware of the regulation and train them in safe data handling. Awareness is your best defence against a breach.
  • how you check that your suppliers can meet the privacy clauses you put in contracts. The contract cannot protect you from the reputational damage that you will suffer if one of your suppliers has a breach of your data. You need assurance that your suppliers have appropriate controls in place.
  • how you enable the right to opt-out. Consumers will have the right to opt-out of any future sale of their personal information. To enable this, you’ll at least need a ‘do not sell my personal information’ link on your home page.

Beware the ripple effect

In Europe, many organisations that were underprepared for the GDRP regulation were later caught out by their customers and suppliers asking for assurances around their compliance. As the CCPA date approaches, you can expect those that you do business with to seek assurances around your information security controls and ability to handle a data breach. You can also expect changes to contracts that enable right to audit clauses and service level agreements around data processes.

We found that the organisations that were able to respond most effectively to this ripple effect were those that had already taken the time to get their house in order. They were able to demonstrate compliance and provide assurances to their customer base, preventing costly and distracting audits.

Our recent work for a global asset manager with $700 billion in assets helped them dramatically increase their compliance position, build confidence with investors, and embed privacy capability across the organisation. This means they are now well prepared for the CCPA and can be confident that future privacy regulation will require only an incremental effort.

Your privacy program should embed the capability to comply with any future state-level regulation that might be released – this will prevent the need to run a separate program for every new privacy regulation that comes along.

A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?

Read more

Contact the authors

Contact the digital trust and cyber security team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.