By: Sari Richmond

Edited by: lauren levinson and alex brunet

The 2018 enactment of the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, was a major step in US data privacy law. The CCPA, the first law of its kind in the United States, gives Californians more control over their personal data and places strict requirements on companies. [1] 

By giving people the right to know what personal information is gathered about them, to whom it is sold, and how to access, delete, and opt out of having their personal information sold, the CCPA seeks to improve consumer privacy. [1] 

Initial assessments suggest that the CCPA substantially increased consumer awareness and control over personal information. [2] Companies have been compelled to revise their data collection and processing practices, which has led  to greater transparency.

However, maximizing the law's effectiveness has been challenging for multiple reasons. Compliance costs for small and mid-sized enterprises have been overwhelming. [3] Additionally, the California Attorney General's office is mainly responsible for enforcement of the law, and has been criticized for a lack of proactiveness. Because one of the main goals of the law was to have a deterrent effect, this behavior from the Attorney General’s office may be stifling its effectiveness. [1] Furthermore, vagueness in the CCPA’s language has led to a variety of interpretations, complicating consistent enforcement throughout the state, especially because of California’s high volume of businesses and high population.

The CCPA can be seen as an addition to California's existing consumer protection laws, like the Unfair Competition Law (UCL) and the Consumers Legal Remedies Act (CLRA). These laws both aim to safeguard consumers from deceptive business practices and ensure fair competition. [4]

The CCPA works with some ideas present in the Fourth Amendment, which protects against unreasonable searches and seizures. By extension, these ideas can apply to individuals' control over their personal information. This aligns with the Supreme Court's decision in Katz v. United States (1967), which expanded the Fourth Amendment's protection to include certain expectations of privacy. From this perspective, the provisions outlined in the CCPA are safely constitutional as they hinge on the idea of personal privacy. [4]

However, critics argue that data, particularly in aggregate form, constitutes speech and that the law could infringe on the free speech rights outlined in the First Amendment. This argument parallels the Supreme Court's decision in Sorrell v. IMS Health Inc. (2011), where the Court struck down a Vermont law restricting the sale of prescriber-identifiable data. [6] The Court ruled in this case that the information about doctors' prescribing habits is a form of speech, meaning selling and using this data is protected under the First Amendment. [6] In addition, because the case concerned doctors and pharmaceutical companies, there was concern that speech was being restricted in a certain group of people – a perspective that could be applied to the CCPA as it clearly prioritizes personal privacy over the rights of a business to share information. 

The CCPA represents a notable step toward greater consumer privacy in the digital age. Thus far it has been effective, but faces challenges in enforcement and interpretation. Legally, it bridges consumer protection statutes with constitutional privacy and free speech considerations. As data privacy continues to evolve, the CCPA sets a precedent for future legislation, and it has the potential to influence broader federal data privacy laws.

Notes:

1. “California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General.” 2024. California Department of Justice. 

2. Mulgund, Pavankumar. 2022. “The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences.” Science Direct. 

3. Kessel, Emily, Sarah Miller, and Carrie Gardner. 2021. “Potential Implications of the California Consumer Privacy Act (CCPA) for Insider Risk Programs.” SEI Blog.

4. “California's Unfair Competition Law and Consumers Legal Remedies Act - 2023 Overview.” 2024. Steptoe. 

5. Stewart, Potter. n.d. “Katz v. United States.” Oyez.

6. Kennedy, Anthony M. 2011. “Sorrell v. IMS Health Inc.” Oyez.

Bibliography:

“California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General.” 2024. California Department of Justice. https://oag.ca.gov/privacy/ccpa.

“California's Unfair Competition Law and Consumers Legal Remedies Act - 2023 Overview.” 2024. Steptoe. https://www.steptoe.com/en/news-publications/californias-unfair-competition-law-and-consumers-legal-remedies-act-2023-overview.html.

Kennedy, Anthony M. 2011. “Sorrell v. IMS Health Inc.” Oyez. https://www.oyez.org/cases/2010/10-779.

Kessel, Emily, Sarah Miller, and Carrie Gardner. 2021. “Potential Implications of the California Consumer Privacy Act (CCPA) for Insider Risk Programs.” SEI Blog. https://insights.sei.cmu.edu/blog/potential-implications-of-the-california-consumer-privacy-act-ccpa-for-insider-risk-programs/.

Mulgund, Pavankumar. 2022. “The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences.” Science Direct. https://www.sciencedirect.com/science/article/pii/S2211883721000666.

Stewart, Potter. n.d. “Katz v. United States.” Oyez.

https://www.oyez.org/cases/1967/35.