Your readiness roadmap for the California Consumer Privacy Act (CCPA)

The CCPA’s broad privacy requirements are entirely new to the United States—and with a compliance deadline of January 2020, the clock is ticking.

Five key requirements for the CCPA

Requirement violations include penalty thresholds that may expose large California-based businesses to substantial risk. Both organizations with existing privacy capabilities, such as those developed for General Data Protection Regulation (GDPR) compliance, and those without any previous preparation may need the entire grace period before the deadline to deploy necessary capabilities. Our road map illustrates how companies can achieve CCPA readiness by 2020. Taking action now will be all the more imperative for companies to be ready, as a second, more comprehensive version of CCPA which is slated to be put before California voters as a ballot initiative in 2020.

Companies serving or employing California residents may find these five CCPA requirements have the biggest impact on their business plans:

1. Data inventory and mapping of in-scope personal data and instances of “selling” data

2. New individual rights to data access and erasure

3. New individual right to opt-out of data selling

4. Updating service-level agreements with third-party data processors

5. Remediation of information security gaps and system vulnerabilities

Comparison of key GDPR and CCPA requirements

The CCPA is the beginning of “America’s GDPR.” Similar to the GDPR, the CCPA will require organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. But to what extent can a company extend its GDPR capabilities into its California operations to prepare for CCPA? Certain CCPA requirements overlap with the existing GDPR individual rights requirements, which may give GDPR-ready organizations a jump start on building a capability around user-data handling practices. Still, several policies, processes and systems will still need updating to address differences between the two laws.


How PwC can help

CCPA is the first state privacy law of its kind, and it may be just the beginning, as the future of domestic privacy legislation in the United States is just starting to unfold with this new law. With a deep bench of privacy professionals seasoned by the 2018 GDPR deadline, PwC can help your organization approach CCPA compliance, including operational and structural impacts. We'll also help you understand future US privacy legislation and regulations if and when they are instituted.

PwC Risk Atlas helps companies stay up to date on changes in cybersecurity and privacy regulations, know when to take action, create a prioritized implementation plan, and track its efficacy—all in one place.

Contact us

Jay Cline

Privacy Leader, Principal, PwC US

Follow us