CCPA: why ‘wait and see’ doesn’t work


By Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity

The one-year anniversary of the European Union’s General Data Protection Regulation (GDPR) recently passed, but the global landscape of privacy legislation continues to change on what, at times, feels like a daily basis.

Much of the current discussion is now turning to the California Consumer Privacy Act (CCPA), which will enter into application on 1 January 2020. While the legislation is still pending clarification from lawmakers on various elements, organisations doing business in California cannot afford to take a ‘wait and see’ approach to compliance.

While CCPA legislation may not be an omnibus style law like the GDPR, it has been inspired by it, particularly around data subject rights. The primary focus of the CCPA relates to individual consumer rights; the right to request information, right of deletion, right to opt-out of data being sold and obligations on businesses to inform consumers of what personal data of theirs will be collected and for what purpose – at or before the collection takes place.

In many ways CCPA is paving the way for a period of major change to the privacy compliance landscape in the US. At the time of publishing, Nevada and Maine have passed their own new privacy laws relating to consumer rights (Maine’s law applies to ISPs only) and an additional 10 laws are in various stages of debate and amendment in state governments including Louisiana, Texas, Vermont, New Jersey and Washington.

Nevada’s new privacy law will actually come into effect on 1 October 2019, three months before the CCPA. However, unlike the CCPA it applies only to operators of online commercial services, requiring these companies or individuals to seek permission to sell a consumer’s personal data.

The Louisiana bill focuses on protecting consumers online when using the internet and social media. While this may seem narrow, one of the definitions of the law seems to cover anybody operating a commercial website in the state of Louisiana, which would have significant implications for a large amount of organisations.

The Washington Privacy Act was introduced in January and passed in the US Senate two months later, but the bill did not make it to the House of Representatives for a vote. The prevailing sentiment is this bill will be brought back in future sessions.

While it is true that there are subtleties and, in some cases, significant differences among these legislations, there are also a number of commonalities in the requirements for businesses when amendments are made and bills passed. So while many companies will be hesitant and will be waiting to see what changes are made, the reality is that large scale changes to the core principles of data subject rights are unlikely. Getting your business ready now and minimising the time to compliance will ease the burden later down the line.

This is a lesson that the GDPR has undoubtedly taught businesses over the last year, with multiple examples of companies failing to have prepared for compliance and spending too much time in the assessment phase, facing serious financial consequences as Data Protection Authorities clamped down on breaches and non-compliance.

For those companies that are GDPR compliant, a number of key steps that will have been taken during this process can be used in order to work towards ensuring compliance with the CCPA and a number of other State laws undergoing proposal in the US. For example, the mechanisms that were put in place to address data subject requests can be enhanced to address California’s consumer rights provisions.

In addition, Article 30 of the GDPR contains numerous obligations relating to the ‘records of processing activities’, requiring organisations to retain a record of, among other things, how and why they have processed customer data. This inventory can also be enhanced to document processing activities related to California residents’ information.

The process of compliance with this section of the GDPR legislation can also be repeated to ensure adherence to a number of the requirements outlined within the CCPA, including for identification of data being transferred and sold to third parties.

Businesses simply cannot afford to adopt a ‘wait and see’ approach when it comes to preparing for CCPA and the rising groundswell of privacy regulations around the globe. By putting in foundational procedures and mechanisms to address consumer rights requests, and creating an inventory of processing activities, companies will be able to address many of the compliance obligations and lay the foundation for a comprehensive privacy program to mitigate risk and minimise overall time to compliance, now and in the future.

Teresa Troester-Falk has over 20 years’ experience in law, including 14+ years as a global privacy professional. Prior to joining Nymity, Teresa served as Associate General Counsel (Privacy) for Nielsen, where she expanded the company’s global privacy programme as well as initiated and led key global and regional privacy and data protection programmes and strategies to advance the company’s privacy agenda.




Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.