The California Consumer Privacy Act (CCPA) was signed into law in 2018, and goes into effect on January 1, 2020. In general (there are some nuances), the law applies to any business that collects or processes the personal information of California consumers and either (1) has $25 million or more in gross annual revenue; (2) derives more than half of its revenue from sharing of consumers’ personal information; OR (3) buys, sells, or share personal information from 50,000 consumers or devices.
If the law applies to your business (by the way, the law does not apply to non-profits), you should: update your privacy notice and policies (my inbox has been full of these recently); update your “inventory” of data and processes relating to that data; and implement procedures for handling consumer requests pursuant to their rights under the Act. Most business, particularly those who have not already gone through this exercise for GDPR, likely are currently unprepared. However, recent developments indicate that the State of California does not intend to enforce the new law until July 1, 2020, giving businesses some more time if they haven’t adequately prepared. Companies that are able demonstrate a good faith effort to comply with the law will be looked at favorably.
I would expect more information to come out in the next few months that will help businesses know whether there efforts are adequate to comply with the law. In the meantime, efforts are still underway to try to push Congress to pass a nationwide law to create uniformity and make compliance, theoretically, easier.