The Hedge | Brutal Honesty Over Hype Since 2008
The California Consumer Privacy Act — enhanced by the California Privacy Rights Act and collectively known as CCPA/CPRA — is California’s comprehensive consumer data privacy law. It applies to businesses that meet certain thresholds and significantly expands consumer rights over personal information. For tech companies, e-commerce businesses, and any company that collects meaningful data about California consumers, CCPA compliance is a real cost that most other states don’t impose.
Who CCPA Applies To
CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenues exceeding $25 million; annual buying, selling, receiving, or sharing of personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenues from selling consumers’ personal information. Businesses below all three thresholds are generally exempt — though many smaller California businesses choose to comply anyway to reduce risk as they approach the thresholds.
What CCPA Requires
CCPA gives California consumers the right to know what personal information a business collects about them, the right to delete their personal information, the right to opt out of the sale or sharing of their personal information, the right to correct inaccurate personal information, and the right to limit use of sensitive personal information. Businesses must respond to verified consumer requests within 45 days, maintain records of requests and responses for 24 months, and update their privacy policies at least annually to disclose required information about their data practices.
The operational requirements are significant. Responding to consumer requests requires a process for verifying that the requestor is actually the consumer in question (to prevent unauthorized data requests), a mechanism for locating all personal information held about a specific consumer across all company systems, and a workflow for deleting data subject to exceptions. For companies with complex data architectures — multiple databases, third-party processors, analytics platforms — building this infrastructure from scratch costs real money.
The Enforcement Mechanism
The California Privacy Protection Agency (CPPA) is the state agency charged with enforcing CCPA/CPRA, with civil penalty authority of up to $2,500 per violation and $7,500 per intentional violation. Private rights of action exist for data breaches resulting from failure to implement reasonable security measures — statutory damages of $100 to $750 per consumer per incident, or actual damages if greater, plus attorney’s fees. For a breach affecting 10,000 California consumers, the potential statutory damages range from $1 million to $7.5 million before actual damages are considered.
The Compliance Cost
A basic CCPA compliance program for a small to mid-sized business involves: a comprehensive audit of all personal data collected, processed, and shared; updated privacy policy with required disclosures; consumer request intake process (typically a web form and email address); staff training; and contracts with all third-party processors and data partners. Initial implementation by a competent privacy attorney or consultant: $10,000–$30,000. Annual maintenance including policy updates, request processing, and vendor management: $5,000–$15,000. For businesses that were not previously privacy-compliant, the initial audit often surfaces data practices that require architectural changes — adding additional cost. No other state has a comparable regime, though Virginia, Colorado, Texas, and others have passed privacy laws with narrower scope and less robust enforcement.
The Hedge has been cutting through financial and business noise since 2008. Brutal honesty over hype — always.
The Hedge 