top of page

California Tackles Data Privacy—Again


Are you familiar with the California Privacy Protection Agency (CPPA)? The state agency currently oversees the California Consumer Privacy Act, a 2020 law which gave citizens more control over their data.

For those unfamiliar with the CCPA, the law entitled people to…

  1. notice about when and why their data is being collected, as well as who can access that information

  2. request information surrounding the access and sale of their personal data

  3. delete all of their collected personally identifiable information (PII) upon request

  4. opt out of the sale of their personal information

  5. nondiscrimination

  6. file private suits for violations to their PII

Now the CCPA is hoping to expand data privacy protections, by expanding the threshold of who qualifies as a covered entity, and demanding annual audits and risk assessments that ascertain businesses’ compliance with the proposed legislation.

These regulations were released on August 28, 2023.

What This Has to Do With You

If your company operates in California, or collects the PII of state citizens, then even YOU will have to comply with this new legislation, should its proposal pass.

Does your job collect money or personal details about customers? Is there an online shop available to people in California? Are you domiciled there or in any way do business in the state?

Then you could be in violation of the CCPA if you aren’t careful with the data in your care!

It’s not just about whether or not you break the rules, though. This targets gaps in the current legislation where people’s data privacy is at risk—and entitles even more people to data protection under the law.

What This New Legislation Would Contain

If this bill eventually passes, then covered businesses, and everyone working within those organizations, would need to:

  1. Conduct regular cybersecurity audits and risk assessments.

  2. Implement appropriate security measures based on the identified risks.

  3. Report certain security incidents to the CPPA.

  4. Make certain information about their cybersecurity practices publicly available.

These regulations apply to businesses that collect, sell, or share the personal information of California residents.

Of course, this is based on the proposal. The regulations are still in the early stages of development. The CPPA is currently soliciting public comments on the draft and plans to finalize the regulations after further consideration and revisions.


The purpose of legislation, like the California Privacy Protection Agency is proposing, is to conduct cybersecurity audits and risk assessments to protect consumers’ personal information. In other words, it’s not to trip you up as someone who manages others’ PII; it’s to set a standard of privacy for consumer information like yours.


0 views0 comments


bottom of page